Fancy Bear hackers exploit PowerPoint files to spread Graphite malware

Fancy Bear, a hacking team affiliated with Russia’s navy intelligence company GRU, has struck all over again with a novel code execution approach, warns threat intelligence organization Cluster25.

The attack utilizes mouse actions in Microsoft PowerPoint shows to execute a destructive PowerShell script by way of the SyncAppvPublishingServer utility. 

The mouse-in excess of approach is being leveraged to distribute Graphite malware. Targets are lured with PowerPoint (.PPT) files that show up to be affiliated with the Group for Financial Co-operation and Advancement (OECD).    

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Inside the PPT file are two slides, featuring recommendations in English and French for working with the Interpretation choice in Zoom online video-conferencing app. 

“When opening the lure document in presentation method and the target hovers the mouse above a hyperlink, a destructive PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account,” discussed Cluster25.

“The JPEG is an encrypted DLL file (lmapi2.dll), that is decrypted and dropped in the ‘C:ProgramData’ listing, later executed by way of rundll32.exe. A registry crucial for persistence is also produced for the DLL.”

Subsequent deobfuscation, the ensuing payload— Graphite malware—exploits the Microsoft Graph API and OneDrive to converse with the command and regulate (C2) server. For accessing the service, the menace actor works by using a mounted consumer ID and a valid OAuth2 token.

“Graphite malware’s intent is to enable the attacker to load other malware into program memory. It has been documented again in January by researchers at Trellix, a merger of McAfee Company and FireEye, who named it so precisely simply because it leverages the Microsoft Graph API to use OneDrive as C2,” reports Bleeping Laptop.