Hackers use mouse movement in Microsoft PowerPoint to spread malware

There is a new code execution technique being used by hackers believed to be working for Russia, as reported by security analysts Cluster25.

An attack of this type uses mouse movement to launch a malicious PowerShell script on the computer after opening a PowerPoint presentation.

To create a more insidious attack, the malicious code does not require any macros to run in order to download the payload and execute the malicious code.

According to reportGraphite malware was introduced into the system as recently as September 9th using the new APT28 (aka Fancy Bear, TSAR Team) delivery technique.

In July 2018, the US government released a report claiming that this threat group is affiliated with the Main Intelligence Directorate of the Russian General Staff.

Technical analysis

A .PPT file allegedly linked to the OECD is used by the threat actor to lure targets. It is an international governmental organization that works to advance economic growth and trade worldwide.

There are two slides included in the presentation, both of which contain instructions in English and French. In the Zoom video conferencing application, there is an option called Interpretation that can be used to use it.

Using the SyncAppvPublishingServer utility, a malicious PowerShell script is launched via the hyperlink in the PPT file. Since June 2017, documentation on this technique has been available online.

As soon as the victim hovers over a hyperlink in the decoy document when it is in presentation mode, it opens a malicious PowerShell script.

Second, the threat actor downloaded a JPEG file from a Microsoft OneDrive account (“DSC0002.jpeg”) using this malicious script.

It is then converted into a DLL file which will be decrypted and placed in the C:ProgramDatalmapi2.dll path on the local machine.

There is a 64-bit PE file named lmapi2.dll which is used as a DLL file. Following this file, a new thread will be created alongside a new mutex, titled 56rd68kow, which will be used to control it.

Additionally, for the purpose of communicating with the C2 server, Graphite uses the following two things:-

  • Microsoft Graph APIs
  • OneDrive

To obtain a valid OAuth2 token, the threat actor uses a fixed client ID that can be used to access the service. In the OneDrive check subdirectory, Graphite enumerates the child files of the new OAuth2 token and queries the Microsoft GraphAPIs for new commands.

This malware is designed to allow the attacker to load other malware into the system memory in order to take control of the system.

Free Download SWG – Safe Web Filtering – Ebook