A malicious downloader waits for users to hover over modified text or an image file as a means of delivering a banking trojan.
Like most attack campaigns, this operation begins when a user receives a spam email. Bad actors appear to be abusing compromised websites, which they’re using as their command and control (C&C) servers, along with virtual private servers (VPS) to deliver the spam messages. These emails each come with a finance-themed subject line and a serial number, which indicates that those conducting the campaign are tracking their messages.
The attack missives masquerade as invoices. But they’re frauds, as are their Microsoft PowerPoint Open XML Slide Show (PPSX) and PowerPoint Show (PPS) file attachments. Trend Micro threat analysts Rubio Wu and Marshall Chen elaborate on this point:
“Once the would-be victim downloads and opens the file, user interaction is needed—hovering over the text or picture embedded with a malicious link (which triggers a mouseover action), and choosing to enable the content to run when prompted by a security notice pop-up. Microsoft disables the content of suspicious files by default—via Protected View for later versions of Office—to mitigate the execution of malicious routines that abuse features in Microsoft Office, such as macros and Object Linking and Embedding (OLE). Hence, a key ingredient in the infection chain is social engineering—luring the victim into opening the file and enabling the malware-laced content to run on the system.”
Payload embedded in the PPS/PPSX file. (Source: Trend Micro)
Once enabled, the content executes an embedded malicious PowerShell script that downloads the Nemucod as a JScript Encoded File. This second-stage downloader, which has spread everything from ad-clicking backdoors to ransomware, contacts the C&C and retrieves the final payload: OTLARD (aka Gootkit), a type of banking trojan known for stealing credentials and banking information in Europe. In this campaign, the number of attack emails carrying OTLARD peaked at 1,444 on 25 May before dying down four days later.
To protect themselves against malspam campaigns such as the innovative operation described above, users should mostly employ Protected View when viewing Microsoft documents they download from their emails. By extension, they should think twice before enabling content. They should also avoid clicking on suspicious email attachments and URL messages.