A dangerous Trojan is distributed through PowerPoint and PowerShell.

in #virus8 years ago


Researchers from the antivirus company SantinelOne found a curious technique for spreading malware Zusy using PowerPoint presentation. Unlike the standard code execution through macros, the malicious program uses the PowerShell script to execute the code. PowerPoint presentation with malware is distributed through spam mailing with the subject of letters "Purchase Order # 130527" or "Confirmation". After opening the file, instead of the usual macro inherent to home-based campaigns, the screen displays "Loading ... Please wait".
The PowerShell script is launched when the mouse is over the inscription. The built-in security mechanisms of Microsoft Office do not allow the script to start automatically. In most cases, the user will be prompted to allow the external application to start:
The worm accesses the C & C server using the domain name cccn.nl (IP: 46.21.169.110).