Microsoft Office Banking Trojan Infects System with Mouse-over Action

PowerPoint Banking Trojan Malware

A new malware has been discovered in a spam campaign which installs a malicious downloader without the need for the user to click on anything. The malware is distributed in a PowerPoint file and only requires the user to hover the cursor over a hyperlink to run the malicious code. It will then proceed to installs a banking Trojan capable of stealing personal and financial information. What is distinctive of this particular malware is the fact that it diverts from the usual techniques hackers use to bypass security measures.

According to an analyst at Trend Micro, the Trojan downloader uses a variant of OTLARD banking Trojan, also known as Gootkit. The Trojan has capabilities for remote access, network monitoring, and browser manipulation. What is distinctive about this malware is its use of PowerShell to deliver the payload. PowerShell is a task and configuration management framework that consist of command-line shell and scripting languages associated with Microsoft’s .NET. The malware uses the framework to run a Trojan downloader once a hover event is registered in a link on the PowerPoint.

PowerPoint Trojan Downloader Link. Source:

PowerPoint Trojan Downloader Link. Source:

An analyst at Dodge This Security thoroughly analyses the malware’s delivery process. Once a user hovers over the link presented in the previous picture, the PowerShell command is executed and downloads a file named “c.php” and saved in the temp folder as “ii.jse”. ii.jse gets executed in wscript.exe and returns a file with the name “” and then decoded to a “484.exe”. This file is then saved and renamed in the directory: AppData\Roaming\Microsoft\Internet Explorer\sectcms.exe.

Trojan downloader malicious code. Highlighted area shows PowerShell call and C2C address.

Trojan downloader malicious code. Highlighted area shows PowerShell call and C2C address. Source:

The best way to deal with this so far malware is to have the latest version of Microsoft Office installed since it automatically blocks the malicious script when using protected view. Also, educating users on the signs of phishing scams and files when opening their emails will help avoid the malware altogether. Always make sure to check who you are receiving your emails from before downloading any attachments. Users within a company should also be notified of the particular nature of this Trojan downloader given that once the file is downloaded, it does not require the individual to click on anything.

Leave a Reply

Your email address will not be published. Required fields are marked *