Hackers believed to work for Russia have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script.
No malicious macro is necessary for the malicious code to execute and download the payload, for a more insidious attack. A report from threat intelligence company Cluster25 says that APT28 (a.k.a. ‘Fancy Bear’), a threat group attributed to the Russian GRU (Main Intelligence Directorate of the Russian General Staff), have used the new technique to deliver the Graphite malware as recently as September 9th.
The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide.
Inside the PPT file there are two slides, both featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app.
Document lure used in new campaign using Graphite malware:
The PPT file contains a hyperlink that acts as a trigger for launching a malicious PowerShell script using the SyncAppvPublishingServer utility. This technique has been documented since June 2017. Multiple researchers explained at the time how the infection works without a malicious macro nested inside an Office document (1, 2, 3, 4).
Based on the metadata found, Cluster25 says that the hackers have been preparing the campaign between January and February, although the URLs used in the attacks appeared active in August and September.
Use of PowerPoint mouse-over technique to deliver Graphite malware:
When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.
The JPEG is an encrypted DLL file (lmapi2.dll), that is decrypted and dropped in the ‘C:\ProgramData\’ directory, later executed via rundll32.exe. A registry key for persistence is also created for the DLL.
Triggering malicious code execution:
Next, lmapi2.dll fetches and decrypts a second JPEG file and loads it into memory, on a new thread previously created by the DLL. Cluster25 details that each of the strings in the newly fetched file requires a different XOR key for deobfuscation. The resulting payload is Graphite malware in portable executable (PE) form. Graphite abuses the Microsoft Graph API and OneDrive to communicate with the command and control (C2) server. The threat actor accesses the service by using a fixed client ID to obtain a valid OAuth2 token.
Fixed client ID used by Graphite:
With the new OAuth2 token, Graphite queries the Microsoft GraphAPIs for new commands by enumerating the child files in the check OneDrive subdirectory, the researchers explain.
“If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm,” Cluster25 says, adding that “the malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread.”
Graphite malware’s purpose is to allow the attacker to load other malware into system memory. It has been documented back in January by researchers at Trellix, a merger of McAfee Enterprise and FireEye, who named it so specifically because it leverages the Microsoft Graph API to use OneDrive as C2.
The campaign that Trellix investigated used an Excel documents titled “parliament_rew.xlsx” and “Missions Budget.xlsx” that appeared to target government employees and individuals in the defense industry.
Based on code similarities with malware samples from 2018, targeting, and the infrastructure used in the attacks, Trellix has attributed Graphite to APT28 with low to moderate confidence.