Malware Infects Computers When Users Place Cursor Over Link

A recently detected attack technique requires only that users hover their cursor over a malicious link to become infected with malware. The attacks have been launched by sending targets an email with an attached Power Point document.

Editor’s Note

[Russell Eubanks]
Interesting development that challenges the advice we have provided for many years – “mouse over the link before clicking”. This is a good catalyst for us to verify advice we have always given to ensure it is still valid.

[Lee Neely]
The exploit relies on PowerPoint being configured to execute external content, and the execution of the PowerShell script. PowerPoint by default displays a user bypassable warning, attempting to block harmful content. The PowerShell script is crafted to bypass ExecutionPolicy and profile restrictions. The number one mitigation is user not enabling the external content, or better still, using caution with unrecognized attachments. Next, look for the indicated IOCs or block access to the identified sites.  Other mitigations include GPO settings for PowerShell execution policy of Restricted or AllSigned, as well as GPOs for Office security settings for non-click-to-run deployments.

Read more in:
– https://www.scmagazine.com: Mouse hovering malware delivery scheme spotted, called potentially very dangerous
– https://www.dodgethissecurity.com: New PowerPoint Mouseover Based Downloader – Analysis Results