Mouse hovering malware delivery scheme spotted, called potentially very dangerous
Mouse hovering malware delivery scheme spotted, called potentially very dangerous

Cybercriminals have started using a new technique to infect computers that only requires a victim place their cursor over a malicious hyperlink for the malware to be injected.

The new technique was noticed by several cybersecurity researchers – with dodgethissecurity doing an extensive analysis. The information security blog reported that an attack begins with the target receiving an email containing an attached PowerPoint document.

“This PowerPoint document was interesting to analyze,” the researcher said. "First of all, this document was interesting as it did not rely on macros, JavaScript or VBA for the execution method. Which means this document does not conform to the normal exploitation methods."

When the presentation is opened, the target sees a “Loading….Please Wait” message. As with many hyperlinks this appears blue. When the victim follows their natural inclination to hover their cursor over the “hyperlink” to check where it links, the document executes a PowerShell command. 

“When that PowerShell is executed it reaches out to the domain “cccn.nl” for a c.php file and downloads it to disk as a file named “ii.jse” in the temp folder,” Dodgethissecurity wrote. But, the report added, even after waiting eight hours no cybercriminal connected to the system.

Jérôme Segura, lead malware intelligence analyst at Malwarebytes, told SC Media on Thursday that the mouse- over technique is “novel and interesting.” The fact that this attack vector does not relay on a macro could make it less suspicious-looking to users and system administrators. Luckily, he said, it does not automatically run malicious code but instead requires the user to accept a prompt, before finally infecting them.

“Like most distribution tactics, the proof of their efficiency is in how widespread their adoption is. For now, we are still seeing malicious spam that contains macros or various scripts. However, we know threat actors keep a tab on infection statistics and can easily adjust their campaigns to pick the one with the best ROI,” Segura said.

Limor Kessem, IBM's executive security adviser, noted to SC Media that since this type of attack is hard to spot everyone has to revert to using their email security scheme.

"Indeed, this is a new technique and is quite malicious because the user is not taking much action, other than opening the file. This makes it harder to warn users about this method, but at the very least, all email users should be wary when opening files from unsolicited email. If the matter is not clear, it's best to call the sender and verify that the file was indeed sent by them. If the email comes from an unknown source, don't even open email, nor the files it contains,” she said.