Report

Weekly Threat Report 16th June 2017

Created:  16 Jun 2017
Updated:  16 Jun 2017
NCSC building with logo
We would like your feedback on the Weekly Threat Report. Please send us your thoughts, suggestions and queries through to enquiries@ncsc.gov.uk.
This report is drawn from recent open source reporting.

Mouseover malware masquerading in Powerpoint files

According to media reports, a new method of delivering malware has surfaced. 'Zusy' malware, according to IT company ExtremeTech, is a banking trojan whose intention is to steal credentials. The reports suggest that simply hovering your mouse over a link will lead to infection without requiring you to click on anything. However, several stages are required to successfully infect a user.

What is interesting about this malware is that the initial infection vector does not rely on Macros or JavaScript to execute its malicious code. Instead, the malware developer has focused on abusing certain features in Microsoft PowerPoint to download and deploy the banking trojan.

This malware is initially delivered to users through phishing as an email attachment. Firstly the user needs to click on and open an attachment which displays a PowerPoint slide in slide show mode. A segment of text or a picture on the PowerPoint slide will have a clickable hyperlink. The most common message seen at this time is 'Loading...Please wait'. The 'mouseover' malware will only initiate if the user directs their cursor over the text or picture. A command is then executed which attempts to run an external program such as a PowerShell script. At this point Microsoft's security feature, Protected View, which is enabled by default, will display a warning notice allowing the user to disable the program. If the program is not disabled, it will create a backdoor giving the attacker full access to the victim machine. Users running PowerPoint versions older than 2010 are particularly vulnerable to this type of attack because when they hover over the link the preview window will open automatically without giving them the option to disable the malicious program.

Historically malware infections occur when the victim clicks on a suspicious link and general guidance has always advised users to hover over links to check file formats for suspicious executables. Users should continue to remain aware and be vigilant when receiving email attachments.

Although this development is not as alarming as it may first appear, the NCSC assesses that we may see a more sophisticated version of this attack vector in the future. The NCSC recommends that users follow NCSC malware guidance which includes regularly updating antivirus software to reduce the risk of being infected.

Enterprises that implement Application whitelisting approaches as described in the NCSC Windows EUD Security Guidance will also mitigate current variants of this threat by preventing the malicious scripts and programs downloaded by the malware from running.

 

Industrial Control Systems malware (Industroyer/CrashOverride)

The NCSC is aware of open source reporting providing details of malware dubbed as 'Industroyer' or 'CrashOverride', which is reported to be connected with the December 2016 power outages in Ukraine.

Previous media reporting suggests that during this incident, cyber attackers compromised parts of the Ukrainian electricity transmission network, resulting in the loss of electricity supply to customers for approximately one hour.

The NCSC have published on CiSP details of mitigation strategies to secure networks against these attacks. US-CERT have also published analysis and indicators of compromise.

Was this report helpful?

We need your feedback to improve this content.

Yes No