IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Fancy Bear hackers exploit PowerPoint files to spread Graphite malware

The ongoing attack reportedly targets entities in the defense and government sectors of the European Union and Eastern European nations

Fancy Bear

Fancy Bear, a hacking group affiliated with Russia's military intelligence service GRU, has struck again with a novel code execution technique, warns threat intelligence firm Cluster25.

The attack utilizes mouse movements within Microsoft PowerPoint presentations to execute a malicious PowerShell script via the SyncAppvPublishingServer utility. 

Related Resource

CIO Priorities: 2020 vs 2023

Zero Trust, SaaS Security, and its impact on SD-WAN being a priority

Webinar title screenWatch now

The mouse-over technique is being leveraged to spread Graphite malware. Targets are lured with PowerPoint (.PPT) files that appear to be affiliated with the Organization for Economic Co-operation and Development (OECD).    

Inside the PPT file are two slides, featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app. 

“When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account,” explained Cluster25.

“The JPEG is an encrypted DLL file (lmapi2.dll), that is decrypted and dropped in the 'C:\ProgramData\' directory, later executed via rundll32.exe. A registry key for persistence is also created for the DLL.”

Following deobfuscation, the resulting payload— Graphite malware—exploits the Microsoft Graph API and OneDrive to communicate with the command and control (C2) server. For accessing the service, the threat actor uses a fixed client ID and a valid OAuth2 token.

“Graphite malware's purpose is to allow the attacker to load other malware into system memory. It has been documented back in January by researchers at Trellix, a merger of McAfee Enterprise and FireEye, who named it so specifically because it leverages the Microsoft Graph API to use OneDrive as C2,” reports Bleeping Computer.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022