In the past, we have known clicking on malicious links or opening spam emails as the major way of distributing malware. But today, a new way of malware attacks has been discovered. Hackers and spammers are infecting computers by the Mouse hovering over a power point presentation.

Trend Macro, a company offering IT security solutions, has discovered this latest form of attack. The company acknowledges that hackers are delivering malware to computers without necessarily clicking on links or downloading malicious files from emails. These attacks have recently targeted organizations in Poland, United Kingdom’s, Netherlands and Sweden.

Jump directly to

1 . How OTLARD/Gootkit Variant compromises your machine?

2. Precautions actions to take against Mouse Hover attacks

According to Trend Macro, Trojan usually activates when computer mouse hovers over an image or text link that is delivered through a spam email. The Trojan accomplishment is to steal personal information regarding banks, browsing history and remote access on the infected machine.

The powerpoint slide is attached in the spam email, and usually has a subject line with a finance-related word such as “RE: Online purchase Order Report #OPOR1234”. Immediately the mouse hovers over the link, the Trojan prompt Microsoft Power Shell to run the Malware. Once this happens, the Trojan downloads another downloader (JS_NEMUCOD.ELDSAUGH) in the form of a JSE (JavaScript Encoded file). JSE will finally retrieve the last payload from a command-and-control server.

Ms. PowerPoint can detect the suspicious files depending on the Microsoft Office the attackers are using before the script is executed. The latest versions of Microsoft Office deactivates the malicious files by default. To be precise, Office 365’s power point and web mode are not affected by this form of attack.

If Ms.Power point doesn’t stop Trojan, it goes on with its missions and accomplishments. However, the installation of the Trojan goes on without any form of notice in the older version of Microsoft Office that doesn’t have protected view turned on. Lack of this action gives installed malware an added advantage of being one step ahead from being traced.

How OTLARD/Gootkit Variant compromises your machine?

Trojan downloader contains a variant OTLARD also known as Gootkit that has the capabilities to steal bank information. It emerged in the early 2012, and soon it was persistence with stealing confidential information, browsing manipulations and network traffic monitoring. Despite this, it has also been used to spread spam messages to intended users. A good example is when Gootkit was used to spread spam messages appearing as a letter from French Ministry of Justice in 2015.

OTLARD is also known to have it own variants that compromises websites through a malicious iframe. The variant downloads command modules for the target websites including its FTP credentials to be used to gain access to the website. For instance, websites in Sweden and Poland were compromised by OTLARD and after that used to send malicious documents to the citizen. Upon mouse hovering on the Ms. PowerPoint document, hacked websites in Netherland were used by the operators to drop a payload to the affected computers.

OTLARD operators initially delivered their payloads by using macro malware-laced documents targeting a limited number of countries. With its continued innovations and advancement; it has evolved from web injection to redirection of deceiving users with potential more success. It has reflected this by breaking down and extracting credentials and bank information from large organizations in Europe.

The greatest danger with this kind of macro-based mouse hover attack is that it appears to be invisible to the user. It goes ahead and makes the situation worse by conducting many malicious activities in the background such as compromising the computer as well as collecting confidential information (national identity no., banking information, identity particulars, etc.). OTLARD mostly targets windows operating systems including Windows 7, 8 and 10 to execute these functions.

OTLARD variant has become the latest channel for cybercriminals. The reason being; it does not require any initial or additional items to execute the payload. Microsoft Office documents are usually vulnerable to attacks because they are frequently used to communicate information all over the enterprise. Thus, OTLARD can use its variants to steal information anytime.

Precautions actions to take against Mouse Hover attacks

Protection is better than cure. Right! We can protect ourselves against this piece of malware getting installed on our computers. It would be wise if you turned on protected view on your Office applications. This is done by ensuring that all actions of protected view are correctly checked from Trust Center. You can access these settings by clicking on file, then options, at this juncture; you can click on Trust Center for Trust Center settings. Protected view enables the user to read the content of unknown suspicious file thus reducing the high chances of you machine getting infected.

Limiting the number of users can help to slow down the great number of attacks via mouse hover. Information security professionals and information technology administrators can prevent these attacks by editing registry and implement group policies that block user permission to enforce the principle of least privilege. Hence, the numbers of users accessing computers are reduced significantly.

Considering the doorway for malware is spam emails, mitigating email-based threats and keeping email gateway safe is recommendable. We have known that social engineering can be the cause of these attacks, creating a culture among employees to enforce cyber security can help to shutdown operators from intruding. The weakest link in computer access is the user, and this is the reason why users should be the first to take actions against any form of attack. If the user does not take precautionary measures, then, someone else will easily trick him into opening malicious email attachment and believe me say they will own your system. Therefore, let it become a habit to scan your emails at the gateway to keep off hackers tricks.

It’s bad enough for hackers to trick us into clicking on links and programs that will get our machine infected. And it becomes worse when malware gets installed while doing nothing at all. This leaves with no option but to take actions in ensuring all security features for our hardware and software are up-to-date and turned on.

Conclusions

According to the research on mouse hover conducted by Trend Macro, it is evident that these cybercriminals are testing new techniques for use. This discovery has grave and severe implications. Features such as mouse hover and macros have been designed specifically for legitimate use. However, hackers are getting advantages over their use causing more cyber crimes nowadays. A simple socially engineered email, a mouse hover, and probably a click, are enough requirements to infect a victim.

As you have seen from this article, much attention has been put on OTLARD, new model of delivery, which might fall under the user’s radar. Despite the fact that OTLAND is a well-known malware, organizations are yet to employ precautionary measures as indicated to outdo this recent technique. Mouse Hover technique sounds unique and original, but it’s nothing when the user takes necessary actions against it at the door way. Since Mouse Hover largely depends on social engineering, organizations should play a significant role in educating their employees on how to watch out for spam mails.

Spam campaigns containing malicious files often send out millions of messages within a few hours. The average success rate of the mouse hover technique has not yet gotten established. A rate as low as 0.5 percent could transform to a massive threat to an entire organization and individuals surfing the internet across the globe, especially those with earlier versions of office.

Indeed, this remains the newest method delivering malware via mouse hovering.