September 27, 2022

According to a report by the threat intelligence company Cluster25, APT 28 (aka Fancy Bear), a threat group linked to the Russian GRU is using a new technique to deliver the Graphite malware.

The technique uses a mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script. It does not require malicious macros to download and execute payloads.

The attackers lure with a PowerPoint (.PPT) file, which is allegedly linked to the Organization for Economic Co-operation and Development (OECD). The PPT file contains two slides with instructions in English and French. The PPT file contains a hyperlink that serves as a trigger for launching a malicious PowerShell script using the SyncAppvPublishingServer utility.

As soon as the victim moves the mouse over a hyperlink while trying to open the lure document, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.

The JPEG, an encrypted DLL file (lmapi2.dll) is decrypted and dropped in the ‘C:\ ProgramData\’ directory. It is later executed via rundll32.exe while a registry key, which guarantees the persistence, will also be created for the DLL.

“If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm. The malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread,” Cluster25 said.

The sources for this piece include an article in BleepingComputer.