Fancy Bear hackers exploit PowerPoint files to spread Graphite malware

Fancy Bear, a hacking team affiliated with Russia’s navy intelligence company GRU, has struck all over again with a novel code execution approach, warns threat intelligence organization Cluster25.

The attack utilizes mouse actions in Microsoft PowerPoint shows to execute a destructive PowerShell script by way of the SyncAppvPublishingServer utility. 

The mouse-in excess of approach is being leveraged to distribute Graphite malware. Targets are lured with PowerPoint (.PPT) files that show up to be affiliated with the Group for Financial Co-operation and Advancement (OECD).    

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

Inside the PPT file are two slides, featuring recommendations in English and French for working with the Interpretation choice in Zoom online video-conferencing app. 

“When opening the lure document in presentation method and the target hovers the mouse above a hyperlink, a destructive PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account,” discussed Cluster25.

“The JPEG is an encrypted DLL file (lmapi2.dll), that is decrypted and dropped in the ‘C:ProgramData’ listing, later executed by way of rundll32.exe. A registry crucial for persistence is also produced for the DLL.”

Subsequent deobfuscation, the ensuing payload— Graphite malware—exploits the Microsoft Graph API and OneDrive to converse with the command and regulate (C2) server. For accessing the service, the menace actor works by using a mounted consumer ID and a valid OAuth2 token.

“Graphite malware’s intent is to enable the attacker to load other malware into program memory. It has been documented again in January by researchers at Trellix, a merger of McAfee Company and FireEye, who named it so precisely simply because it leverages the Microsoft Graph API to use OneDrive as C2,” reports Bleeping Laptop.