Zusy Malware Spreads Via Legitimate PowerPoint Feature


As per the researchers report, users must be cautious with new round of spam campaigns. Recently, team of malware researchers have discovered a new malware campaign named PowerPoint Feature to trick System users into executing the malicious code on their PCs and install Zusy malware.

Zusy Malware Spreads Via Legitimate PowerPoint Feature

Know About Zusy Malware

Being discovered in 2012, Zusy is one of the most infamous banking malware that mainly targeted the financial site to sniff the network traffic and perform the man-in-browser attack to inject several additional forms into the legitimate banking sites that asks victim to share their confidential data including credit or debit card numbers, authenticated token, username, password, contact details, addresses and many more.

New Campaign of Zusy Banking Malware

To spread Zusy malware, it’s developer often uses several macro-based hacking or social engineering tactics to hacks PC specially MS Office files including MS Word attached to spam emails. But recently, new social engineering tactics has been discovered in wild that doesn’t require system users to enable the macros. Researchers revealed that Zusy malware executes on PC using the PowerShell command that embedded within PowerPoint (PPT) file.

The notorious or malicious PowerShell code usually hidden inside the document that trigger when victims hover mouse over the link which automatically downloads the additional payload on hacked machine even without clicking on it. Zusy often uses lots of deceptive ways but the latest variant of this banking malware spreads as a PowerPoint file that attached to spam emails with several titles like ‘Confirmation’ and ‘Purchase Order #130527’ and many more that opened a window and display text like ‘Loading…Please Wait’ as hyperlink. This campaigns doesn’t require users to enable the macros in order to execute it.


No Need To Hover Mouse Over Hyperlink

When System user hovers the mouse over link then it automatically trigger PowerShell code. But Protected view security feature enabled by default and displays various warnings and prompts then to disable or enable content. If due to any reason user neglects such a warning message and allows content to be viewed then the malicious program will connect to third-party site named cccn.nl from where Zusy downloads and executes malicious file. This is why, users must be cautious with PowerPoint file and it’s feature.

Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar