Researchers discover new cyberespionage campaign that exploits dangerous vulnerability in PowerPoint to deliver Graphite malware to targeted endpoints (opens in a new tab).
What makes this campaign particularly dangerous is the fact that victims do not actually have to click on a link or download the malware itself – just hover a mouse cursor to trigger an attack.
Cluster25 cybersecurity researchers recently spotted APT28, also known as Fancy Bear, disseminating a PowerPoint presentation (.PPT) pretending to be from the Organization for Economic Co-operation and Development (OECD).
There are two slides in .PPT that contain a hyperlink. It was explained that when a victim hovers over a hyperlink, they run a PowerShell script using the SyncAppvPublishingServer tool. The script downloads a JPEG file named DSC0002.jpeg from the Microsoft OneDrive account. JPEG is actually an encrypted .DLL file named Imapi2.dll. This file later downloads and decrypts a second .JPEG file – Graphite malware in the form of a portable executable (PE) file.
According to Malpedia, Graphite was first discovered by Trellix researchers who described it as malware using Microsoft Graph API and OneDrive as C2. It was initially implemented in memory with the goal of downloading the Empire post-exploitation agent.
APT28 is a well-known threat actor reportedly on Russia’s payroll. Security experts believe that the group is part of the Main Intelligence Directorate of the Russian General Staff, the GRU.
The researchers believe the group has been distributing graphite using this technique since early September, adding that its most likely targets are organizations in the defense and government sectors, EU countries as well as Eastern Europe.
Since the invasion of Ukraine, cyber warfare between Russia and the West has intensified. In mid-April this year, Microsoft announced the removal of seven domains that Russian cybercriminals used in cyber attacks against Ukrainian targets, mainly government institutions and the media.
By: Hissing computer (opens in a new tab)