Novel infection method doesn't require link to be clicked.

Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.

The method—which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit—is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. Those methods are so widely used that many people are able to recognize them before falling victim.

Instead, the delivery technique made use of the Windows PowerShell tool, which was invoked when targets hovered over a booby-trapped hyperlink embedded in the attached PowerPoint document. Targets using newer versions of Microsoft Office would by default first receive a warning, but those dialogues can be muted when users are tricked into turning off Protected View, a mode that doesn't work when documents are being printed or edited. Targets using older versions of Office that don't offer Protected View are even more vulnerable.

"While features like macros, [object linking and embedding], and mouse hovers do have their good and legitimate uses, this technique is potent in the wrong hands," researchers from antivirus provider Trend Micro wrote in a blog post published Friday morning. "A socially engineered e-mail and mouse hover—and possibly a click if the latter is disabled—are all it would take to infect the victim."

As demonstrated by the image above—which was included in a blog post from Dodge This Security—the PowerPoint file shows only a hyperlink with the words "Loading...Please wait." Hovering over the link with the mouse will then trigger the warning on newer versions of Office. One can imagine impatient users who haven't been fully trained clicking the "Enable" button in hopes of getting the document to load.

Trend and other security companies observed the delivery method used in a relatively small spam run sent in late May. The messages carried subject lines that included the words "Purchase Order," "Invoice," and "Confirmation" and attached PowerPoint files with various titles. Trend researchers said the campaign peaked on May 25 with 1,444 detections.

Spam campaigns with malicious attachments often blast out tens of millions of messages in a matter of hours. It's not clear what the average success rate is the mouse-over technique. A rate of even 0.5 percent could represent a major threat to organizations and individuals all over the world, particularly those using older versions of Office.