A PowerPoint document in presentation mode performs a cyber attack after the first mouse movement. A PowerShell script then strikes and runs the Graphite malware. APT28, also known as Fancy Bear, is said to be behind the attack.
Cluster25 researchers collected and analyzed a malicious document that was used to implant a variant of the Graphite malware clearly associated with the threat actor known as APT28 (aka Fancy Bear, TSAR Team). This is an APT group attributed to the Chief Intelligence Directorate of Russia of the Russian General Staff by a July 2018 US Department of Justice indictment. The bait document is a PowerPoint file that exploits a special code execution technique: it is triggered when the user starts presentation mode and moves the mouse. The file launch runs a PowerShell script that downloads and runs a dropper from OneDrive. After that, it extracts and inserts a new PE (Portable Executable) file into itself, which has been analyzed to be a variant of a malware family called Graphite, which uses the Microsoft Graph API and OneDrive for C&C communication.
PowerPoint file lures with OECD information
According to the metadata of the infected PowerPoint file, the attackers used a template that may be associated with the Organization for Economic Co-operation and Development (OECD). This organization works with governments, policymakers and citizens to establish evidence-based international standards and find solutions to a range of social, economic and environmental challenges. This is a PowerPoint file (PPT) containing two slides with the same content, the first in English and the second in French. The document provides instructions on how to use the interpretation option available in Zoom.
Perfidious execution technique through hyperlinks
This PowerPoint uses a code execution technique that is triggered by using hyperlinks instead of "run program/macro". It is triggered when the user starts presentation mode and moves the mouse. The code being executed is a PowerShell script, run from the SyncAppvPublishingServer utility, that downloads a file from OneDrive with a JPEG extension (DSC0002.jpeg). This in turn is a DLL file that is later decrypted and written to the local path C:\ProgramData\lmapi2.dll.
The blog by Cluster25, the DuskRise team, provides a detailed technical analysis of the new attack via PowerPoint file.
More at DuskRise.com