Tech Talk: New Malware that downloads if you hover!

(Kaiser Ulrich) #1

Wouldn’t it be scary if ransomware could be downloaded just by hovering over a link?

Currently there have been some report(s) regarding a new form of Malware that can be installed by hovering your cursor over infected text. This specific trick is being done on a variant of a trojan called OTLARD (also known as Gootkit).

The one saving grace here is we’re not talking about any old link on the internet. The infected links are specifically links embedded in Microsoft PowerPoint presentations. On older versions of PowerPoint, hovering over a link would load a preview. These versions of the software could be instructed to run a PowerShell script, which is how the malware reaches out to a server to install the trojan onto the device in question.

This comes with more good and bad news. The good news is that newer versions of Office (starting with Office 2010) a new feature called Office Protected View can be enabled that prevents scripts from running. The bad news is that it leaves anyone using an older version of PowerPoint (or a new one with Protected View disabled) as vulnerable,.

While this is a threat that effects Powerpoint links , it means there are versions/files of it that rely on email to be downloaded/opened. So what can you do? Keep training !

As a precaution, continue to discourage and train against downloading files and attachments from unknown sources. This malware currently only works on Powerpoint and you can continue to hover over regular links online as a precaution.

(Judah Gates) #2

It’s just affecting ppt files so far, nothing else?

(Kaiser Ulrich) #3

So far the reports have only been for PPTs files. The only reason it seems to be able to do this is because of the way that hovering is presented in Office (since it quickly downloads the preview). The download is what triggers the malware to install.

Just like viewing a malicious email doesn’t put you at risk, hovering on a normal link isn’t a threat itself. It’s when something is clicked, scanned, downloaded, or files are actually opened when it becomes a problem. But in the meantime, it’s definitely something to keep in mind to hear if any other changes are made to this new form of malware.