Fancy Bear hackers exploit PowerPoint files to spread Graphite malware
The ongoing attack reportedly targets entities in the defense and government sectors of the European Union and Eastern European nations
Fancy Bear, a hacking group affiliated with Russia's military intelligence service GRU, has struck again with a novel code execution technique, warns threat intelligence firm Cluster25.
The attack utilizes mouse movements within Microsoft PowerPoint presentations to execute a malicious PowerShell script via the SyncAppvPublishingServer utility.
CIO Priorities: 2020 vs 2023
Zero Trust, SaaS Security, and its impact on SD-WAN being a priorityWatch now
The mouse-over technique is being leveraged to spread Graphite malware. Targets are lured with PowerPoint (.PPT) files that appear to be affiliated with the Organization for Economic Co-operation and Development (OECD).
Inside the PPT file are two slides, featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app.
“When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account,” explained Cluster25.
“The JPEG is an encrypted DLL file (lmapi2.dll), that is decrypted and dropped in the 'C:\ProgramData\' directory, later executed via rundll32.exe. A registry key for persistence is also created for the DLL.”
Following deobfuscation, the resulting payload— Graphite malware—exploits the Microsoft Graph API and OneDrive to communicate with the command and control (C2) server. For accessing the service, the threat actor uses a fixed client ID and a valid OAuth2 token.
“Graphite malware's purpose is to allow the attacker to load other malware into system memory. It has been documented back in January by researchers at Trellix, a merger of McAfee Enterprise and FireEye, who named it so specifically because it leverages the Microsoft Graph API to use OneDrive as C2,” reports Bleeping Computer.
Accelerating healthcare transformation through patient-centred medtech solutions
Seize the digital transformation opportunities to streamline patient care and optimise patient outcomesFree Download
Big payoffs from big bets in AI-powered automation
Automation disruptors realise 1.5 x higher revenue growthFree Download
Hyperscaler cloud service providers top ten
Why it's important for companies to consider hyperscaler cloud service providers, and why they matterFree Download
Strategic app modernisation drives digital transformation
Address business needs both now and in the futureFree Download