- Joined
- Dec 3, 2020
- Messages
- 1,353
To infect, the user only needs to look at the malicious link.
Fancy Bear (APT28), believed to be linked to the Russian military intelligence agency GRU, is using a new remote code execution technique, according to research firm Cluster25. Hackers use mouse movements in Microsoft PowerPoint presentations to execute a malicious PowerShell script using the "SyncAppvPublishingServer" utility.
The attacks are reportedly targeting organizations in the defense and government sectors of the European Union and Eastern European countries.
The mouseover technique is used to spread the Graphite malware. The victim is lured by fraudulent PowerPoint PPT files linked to the Organization for Economic Co-operation and Development (OECD).
The file contains 2 slides with instructions in English and French on how to use the Interpret option in the Zoom app.
.png)
When you open the decoy document in presentation mode and hover over the hyperlink, a malicious PowerShell script is activated to download a JPEG file from your Microsoft OneDrive account.
A JPEG file is an encrypted DLL file that is decrypted and placed in the "C:\ProgramData\" directory and then executed via "rundll32.exe". A registry key is also created to maintain network persistence.
After deobfuscation, the resulting payload, Graphite malware, uses the Microsoft Graph and OneDrive APIs to communicate with the command and control (C&C) server. An attacker uses a fixed client ID and a valid OAuth2 token to access the service.
Ultimately, Graphite allows an attacker to load other malware into system memory and maintain persistence on the system. The malware allows remote execution of commands by allocating a new area of memory and executing the resulting shellcode by invoking a new dedicated thread.
Fancy Bear (APT28), believed to be linked to the Russian military intelligence agency GRU, is using a new remote code execution technique, according to research firm Cluster25. Hackers use mouse movements in Microsoft PowerPoint presentations to execute a malicious PowerShell script using the "SyncAppvPublishingServer" utility.
The attacks are reportedly targeting organizations in the defense and government sectors of the European Union and Eastern European countries.
The mouseover technique is used to spread the Graphite malware. The victim is lured by fraudulent PowerPoint PPT files linked to the Organization for Economic Co-operation and Development (OECD).
The file contains 2 slides with instructions in English and French on how to use the Interpret option in the Zoom app.
When you open the decoy document in presentation mode and hover over the hyperlink, a malicious PowerShell script is activated to download a JPEG file from your Microsoft OneDrive account.
A JPEG file is an encrypted DLL file that is decrypted and placed in the "C:\ProgramData\" directory and then executed via "rundll32.exe". A registry key is also created to maintain network persistence.
After deobfuscation, the resulting payload, Graphite malware, uses the Microsoft Graph and OneDrive APIs to communicate with the command and control (C&C) server. An attacker uses a fixed client ID and a valid OAuth2 token to access the service.
Ultimately, Graphite allows an attacker to load other malware into system memory and maintain persistence on the system. The malware allows remote execution of commands by allocating a new area of memory and executing the resulting shellcode by invoking a new dedicated thread.
