Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan – TrendLabs Security Intelligence Blog

CERT-LatestNews Malware Security News SocialEngineering ThreatsCybercrime TrendMicroNews

by Rubio Wu and Marshall Chen (Threats Analysts)

While many of today’s malware sport relatively new capabilities, most of their authors or operators still use old techniques to deliver them. Malicious macros and shortcut (LNK) files are still used in ransomware, banking Trojans, and targeted attacks, for instance. These methods may be tried-and-tested, but we’re also seeing distinctive or otherwise overlooked techniques—such as the abuse of legitimate tools like PowerShell, or using malformed subtitle files to remotely take over a device.

Recently, we found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint slideshow. This technique is employed by a Trojan downloader (detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A), which we’ve uncovered in a recent spam email campaign in the EMEA region, especially organizations in the U.K., Poland, Netherlands, and Sweden. Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.

Malicious Mouseover Delivers OTLARD/Gootkit

The Trojan downloader we monitored and analyzed had a variant of OTLARD banking Trojan as payload (TROJ_ OTLARD.TY). OTLARD, also known as Gootkit, emerged as early as 2012 and soon evolved into an information-stealing Trojan with persistence, remote access, network traffic monitoring, and browser manipulation capabilities. In fact, OTLARD/Gootkit was used in a spam campaign in France last 2015, whose spammed messages masqueraded as a letter from the French Ministry of Justice.

OTLARD/Gootkit is known for stealing credentials and bank account information in Europe. Its operators, who use macro malware-laced documents to deliver their payloads, appear to have shifted tactics.

The spam run reflected data from our telemetry, which indicated a sudden spate of OTLARD-carrying spam emails on May 25 that peaked at 1,444 detections. It waned as fast as it rose, with only 782 detections by the 26th, before it died down on May 29. Spam email campaigns are known for short bursts of distribution to keep a low profile from security vendors and law enforcement.

And while the numbers aren’t impressive, it can also be construed as a dry run for future campaigns, given the technique’s seeming novelty. It wouldn’t be far-fetched for other malware like ransomware to follow suit, for instance, considering the notoriety of OTLARD/Gootkit’s operators for spreading other threats in their payloads, as well as ransomware’s history with using malware-laced Office documents.

Another correlation we’ve found is that the cybercriminals seem to be abusing virtual private servers (VPS) and compromised websites, using the latter as their infrastructure for command and control (C&C) communications and sending the spam emails.

Variants of OTLARD are also known to compromise websites via malicious iframe code. It downloads command modules containing the targeted website and its FTP credentials, which are then used to gain access to the website. For instance, in one of the attacks we saw, compromised sites in Poland or Sweden were used to send the spammed messages, after which hacked websites in the Netherlands will be used to drop the payload in the affected system.

In some of the spam emails we saw, the subject lines had a pattern—using a financial or transaction-related word (or phrase), such as “fee”, or “purchase orders”, then followed by a serial number. The pattern we saw is “[fee] #__NUM__”, indicating that the operator, or the service provider that sends the spam email on behalf of the operator, are tracking the spam messages they send.

Figure 1: Sample spam emails; note the serial numbers in the first two spam emails

Infection Chain

The malware starts as a spam email disguised as an invoice or purchase order, with a malicious Microsoft PowerPoint Open XML Slide Show (PPSX) or PowerPoint Show (PPS) file attached. PPS/PPSX files are unlike PowerPoint presentation files (PPT or PPTX) in that the latter can be edited; a PPS or PPSX file can be considered the final product, as it opens directly in presentation/slideshow mode.

Once the would-be victim downloads and opens the file, user interaction is needed—hovering over the text or picture embedded with a malicious link (which triggers a mouseover action), and choosing to enable the content to run when prompted by a security notice pop-up. Microsoft disables the content of suspicious files by default—via Protected View for later versions of Office—to mitigate the execution of malicious routines that abuse features in Microsoft Office, such as macros and Object Linking and Embedding (OLE). Hence, a key ingredient in the infection chain is social engineering—luring the victim into opening the file and enabling the malware-laced content to run on the system.

Once the content is enabled, an embedded malicious PowerShell script is executed that downloads another downloader (JS_NEMUCOD.ELDSAUGH) in the form of a JScript Encoded File (JSE), which finally retrieves the payload from a command-and-control (C&C) server.

Figure 2: Sample malicious PPSX file with a security notice/prompt

The trick will not work in Microsoft PowerPoint Online or Office 365’s “web mode”, as these don’t provide the actions functionality that is present in offline/desktop versions. An Office 365 end user, however, can still be affected if he accesses his account and opens the malicious file through a client (PowerPoint locally installed in the machine).

Why Mouseover?

The malicious mouseover technique doesn’t have to rely on additional or initial vectors to deliver its payload, making the attack chain more streamlined for cybercriminals. In one of the payloads we extracted and analyzed, the payload is embedded in the file’s ppt/slides/_rels/slide1.xml.rels structure:

Figure 3: Payload embedded in the PPS/PPSX file

Microsoft Office documents like PowerPoint files are a staple in many malware attacks, especially exposing enterprises to threats given how these files normally change hands in the workplace. While features like macros, OLEs, and mouse hovers do have their good and legitimate uses, this technique is potent in the wrong hands. A socially engineered email and mouse hover—and possibly a click if the latter is disabled—are all it would take to infect the victim.

Best Practices

Users are recommended to use Protected View, which Microsoft enables by default, especially to documents downloaded from possibly unsafe locations. Protected View provides a way for users to read the content of an unknown or suspicious file while significantly reducing chances of infection. For IT/system administrators and information security professionals, these threats can be mitigated by disabling these features on the machines through registry edits, or by implementing group policies that block user permissions from running them in the first place.

This entails enforcing the principle of least privilege—limiting root or administrator access to the machines. Another countermeasure is to adopt best practices for using and securing tools and services like PowerShell, which this Trojan downloader uses to retrieve and introduce additional malware into the system.

If functionalities such as macros and mouse hovers are deemed necessary for the business process, enable them only in the application/software that uses them, or allow only signed/approved macros. However, these will not stop malware attacks that abuse features like macros and mouse hovers; a certificate that signs a macro, for instance, can be compromised. A multilayered approach is key. For example, a sandbox that can quarantine and analyze suspicious attachments can be considered. Data categorization and network segmentation help limit exposure and damage to data.

Considering that email is these malware’s doorway to the system, protecting the email gateway and mitigating email-based threats are also recommended. Given that social engineering is vital in these attacks, fostering a culture of cybersecurity among employees helps mitigate a weakness for which there is no silver bullet—the human psyche.

Trend Micro Solutions

Addressing these kinds of threats need a multilayered and proactive approach to security—from the gatewayendpointsnetworks, and servers. Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.

Trend MicroHosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.

Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.

Trend Micro™ Deep Discovery™ Inspector  protects customers from this threat via this DDI Rule:

  • DDI Rule 18 : DNS response of a queried malware Command and Control domain

Trend Micro products using the Advanced Threat Scan Engine protect customers via this heuristic rule:

  • HEUR_PPSX.SL: Suspicious command embedded in PowerPoint

Indicators of Compromise:

Related hashes (SHA256):

  • 796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921 — TROJ_POWHOV.A
  • 55821b2be825629d6674884d93006440d131f77bed216d36ea20e4930a280302 — JS_NEMUCOD.ELDSAUGH
  • 55c69d2b82addd7a0cd3bebe910cd42b7343bd3faa7593356bcdca13dd73a0ef — TROJ_OTLARD.TY

Detected as P2KM_POWHOV.A (SHA256):

  • 556d9cefd63d305cb03f0a37535b3951cdb6d9d191400e40dc1a85bc2f67f720
  • ad48d4d432a76f92a52eb0869cbba754f9ea73df280a30c28eac88712bfbd479

Related C&C domains:

  • hxxp://cccn[.]nl/c[.]php
  • hxxp://cccn[.]nl/2[.]2
  • hxxp://basisinkomen[.]nl/a[.]php

IP Addresses and URLs related to the compromised websites used as C&C server and for sending spam emails:

  • hxxp://netart[.]pl
  • hxxp://chnet[.]se
  • 77[.]55[.]8[.]61
  • 85[.]128[.]212[.]154
  • 91[.]211[.]2[.]112