IT security researchers have discovered a PowerPoint document that loads and executes malicious code when displayed after a mouse movement. It comes from Russia.
IT security researchers from Cluster25 have discovered a malicious PowerPoint presentation that sneaks and executes malicious code on unsuspecting victims with the slightest mouse movement. Forensic scientists assume that the Russian state cyber gang APT28, also known as Fancy Bear, is behind it.
The lock document executes code when recipients start the presentation and move the mouse. This runs a PowerShell script that downloads and runs a dropper from a Microsoft OneDrive drive. The dropper, in turn, reloads malicious code, which it extracts into a portable executable (PE) file. The analyzes indicated that it is a variant of the Graphite malware family. This uses the Microsoft Graph API and OneDrive to communicate with the command and control servers.
Malware Insights
The metadata of the PowerPoint presentation suggests that the attackers used a template that may belong to the OECD. The Cluster25 researchers explain in their report that the OECD works with governments, politicians and citizens to develop evidence-based international standards and solutions for social, economic and ecological challenges. The presentation consists of two slides with the same content, one in English and one in French. It is a guide to using Zoom’s translation feature. This provides clues as to the probable target group of the attack.
After starting the presentation, moving the mouse through an event over a hyperlink triggers a PowerShell script. It is launched by the SyncAppvPublishingServer tool and downloads the DSC0002.jpeg file from a OneDrive drive. This will later go to the library C:\ProgramData\lmapi2.dll decrypted and saved. The malware achieves persistence by anchoring it in the key in the registry HKCU\Software\Classes\CLSID\{2735412E-7F64-5B0F-8F00-5D77AFBE261E}\InProcServer32in which the DLL is executed using rundll32.exe.
Communication with the command and control servers runs via the domain graph.microsoft.com and abuses the Microsoft Graph cloud service. The malware is used to install other malware. In addition, the masterminds secure their access by retrieving an OAuth token with a fixed client ID. Microsoft recently observed this procedure in the case of burglaries in Exchange Online servers.
Once implanted, the Graphite malware queries the Microsoft Graph API for new commands and crawls through the files in a OneDrive subfolder. When it encounters a new file, it downloads it and decrypts it using an AES-256-CBC algorithm. Finally, the malware allows code to be executed from the network by launching the received shellcode in its own thread. According to the metadata, the malware was developed in January and February of this year, but according to Cluster25 it only appeared on August 25 and September 9. The analysts therefore assume that activities are still taking place with it.
Based on multiple circumstantial evidence, geopolitical targets and analyzed files, Cluster25 attributes the campaign to APT28, which is controlled by Russia’s military secrets. The evidence seems to point to organizations and individuals from the defense and government sectors in Europe and Eastern European countries as targets. This fits into the current picture of the situation: Russian masterminds apparently direct several cybergangs. In addition, Russia is stepping up its cyber attacks in the war against Ukraine.
