Most computers users know to avoid clicking on suspicious links on the internet. However, most computer users see no issue with just hovering over these links. Unfortunately, a new Trojan takes advantage of that fact to infect your PC.
The malware was identified by Trend Micro as part of their investigation into a spam email campaign. Attackers would send out thousands of spam emails with innocent subjects like “Purchase Order” or “Invoice”. The victim would open the email, download the attached file, and possibly infect their PC.
The attack worked in a simple way: it takes advantage of a PowerPoint action that takes place when you hover over a link. That link can be embedded in an image or in the text of a PowerPoint presentation. The victim downloads the PowerPoint file, the file opens automatically into presentation mode, and the computer is infected as soon as you hover over the malicious link.
The malware is titled TROJ_POWHOV.A and P2KM_POWHOV.A. The emails are targeted at companies involved in specific industries in Europe, the Middle East, and Africa. Targeted industries include manufacturing, education, logistics, and pyrotechnics.
The Malware Will Steal your Banking Credentials
The scariest part about this Trojan is that it can do serious damage to your life. The malware can steal your banking credentials. After your computer is infected, the Trojan downloads a type of spyware known as OTLARD or Gootkit. That spyware is specifically designed to monitor your banking credentials.
In other words, you can be typing information into your online bank’s secure website, but hackers could be monitoring every key you press.
The email spam campaign appeared to have peaked in May, when Trend Micro identified thousands of spam emails being sent out. The campaign has died down in recent weeks. However, spam email campaigns typically occur in bursts – so the attack is far from over.
Would You Fall For It?
Here’s an example of one type of spam email sent out:
As you can see, it’s an innocent-looking invoice that appears to come from a reputable source. The attached file is a malicious PowerPoint file saved as a .ppsx. All .ppsx files open directly into presentation mode (which is different from an ordinary PowerPoint file, .ppt). You open the PowerPoint into presentation mode. Then, if you hover over any text or image on the PowerPoint, the malware will execute its malicious code.
How to Avoid the Mouse Over Malware
Obviously, this is a frightening new type of malware. The best way to avoid it is by making sure you’re opening Microsoft Office documents in Protected Mode (which should occur by default).
The other thing you can do is install good anti-malware for protection. Anti-malware will identify this Trojan’s activities and block it before it can steal your banking data.