Around the 10th of June multiple European countries were the target of banking malware. This happened by using a mouse hover action in a PowerPoint slide deck. Trend Micro reported this on their blog and security researcher Ruben Daniel Dodge blogged also about it on Dodge This Security.
The mouse hover action only works when protected mode is off. But when it is on, a careless user can still enable the macros for the hover action. When macros are enabled a PowerShell process will be spawned to do the rest of the harm.
As all of this happens within a user’s workspace, RES ONE Workspace can protect the careless user. To make this work, you need to enable Managed Application Security. In this feature, managed applications are available to the user by its context (showing in the user’s start menu) automatically gets whitelisted. Other applications can be whitelisted based on executable location, name and/or file hash. Every whitelisted application can be whitelisted to start from within all processes or only a specific process. In this case, no powershell.exe is allowed in the environment.
PowerPoint is configured to run an Execute Command when started. This Execute Command will run a Powershell script, showing that from within RES ONE Workspace, the execution of PowerShell is still allowed at logon of a user, context change or when an application is started. PowerPoint is also configured for Process Interception, which intercept the program when it is not launched by using a managed shortcut in the start menu and executes application start actions. So we are sure that it will also start when you just double-click a PowerPoint file and PowerPoint get started by using File Type Associations (FTA).
Now when we use the sample PowerPoint deck we can see RES ONE Workspace intercepting the application at the bottom right of the screen. It then executes the PowerShell script that we put in there on application start.
After this, the sample malware is loaded. As we hover over the link, you can see that the user gets a macro warning. Careless as this user is, it is accepting the macro’s, enabling the hover action. It goes back to the text and immediately Powershell.exe is blocked by RES ONE Workspace.
So as an admin it is still possible to run PowerShell scripts when a user logs onto the system, starts an application, etc. For the user it is not possible to run PowerShell itself or from within another application. If you need PowerShell to run from within an application, you can just allow powershell.exe only for that process. If you want to give the user itself access to PowerShell, you can configure PowerShell that only RES ONE Workspace may start it and set Process Interception for PowerShell on Ignore. That way the user has to use the managed shortcut in their start menu to run PowerShell. All other ways to start it (for example by using the hover action in PowerPoint) will be blocked.
Watch the full video to see RES ONE Workspace in action, defending against office macro malware.