PowerPoint files are being hacked to spread this new Russian malware
>
Researchers have discovered a new cyber-espionage campaign that uses a dangerous PowerPoint vulnerability to deliver the Graphite malware to target endpoints (opens in new tab).
What makes this campaign particularly dangerous is the fact that the victims don’t actually have to click on a link or download the malware themselves – a mouse pointer is all it takes to trigger the attack.
Cybersecurity researchers Cluster25 recently saw that APT28, also known as Fancy Bear, distributed a PowerPoint presentation (.PPT) pretending to be from the Organization for Economic Co-operation and Development (OECD).
In the .PPT there are two slides, with a hyperlink in them. When the victim moves their mouse over the hyperlink, a PowerShell script is triggered, using the SyncAppvPublishingServer utility, it was explained. The script downloads a JPEG file named DSC0002.jpeg from a Microsoft OneDrive account. The JPEG is actually an encrypted .DLL file called Imapi2.dll. This file later extracts and decrypts a second .JPEG – the Graphite malware in portable executable (PE) form.
According to Malpedia, Graphite was first discovered by researchers at Trellix, who described it as malware that uses Microsoft Graph API and OneDrive as C2. Initially, it was implemented in memory and its purpose was to download Empire’s post-exploit agent.
APT28 is a known threat actor, reportedly on Russia’s payroll. Security experts believe the group is part of the Russian General Staff’s Main Intelligence Directorate, or GRU.
The group has been distributing Graphite using this technique since early September, the researchers say, adding that the most likely targets are organizations in defense and government sectors, from countries in the EU and Eastern Europe.
Since the invasion of Ukraine, the cyber war between Russia and the West has intensified. In mid-April this year, Microsoft reported that it had taken down seven domains that Russian cybercriminals used in cyberattacks against Ukrainian targets, mainly government agencies and the media.
Through: BleepingComputer (opens in new tab)