PowerPoint files are being hacked to spread this new Russian malware

Dangerous campaign leverages a PowerPoint flaw and mouse movements

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers have uncovered a new cyber-espionage campaign that leverages a dangerous PowerPoint vulnerability to deliver the Graphite malware to targetendpoints.

What makes this campaign particularly dangerous is the fact that the victims don’t actually need to click a link, or download themalwareitself - a mouse hover is enough to trigger the attack.

Cybersecurity researchers Cluster25 recently spotted APT28, also known as Fancy Bear, distributing a PowerPoint (.PPT) presentation pretending to come from the Organization for Economic Co-Operation and Development (OECD).

State-sponsored actors

In the .PPT are two slides, containing a hyperlink. When the victim hovers their mouse over the hyperlink, it triggers a PowerShell script, using the SyncAppvPublishingServer utility, it was explained. The script downloads a JPEG file titled DSC0002.jpeg from aMicrosoftOneDrive account. The JPEG is, in fact, an encrypted .DLL file called Imapi2.dll. This file later pulls and decrypts a second .JPEG - the Graphite malware in portable executable (PE) form.

As per Malpedia, Graphite was first discovered by researchers at Trellix, which described it as malware that uses Microsoft Graph API and OneDrive as its C2. Initially, it was being deployed in-memory, and its goal was to download the Empire post-exploitation agent.

APT28 is a well-known threat actor, allegedly on Russia’s payroll. Security experts believe the group is part of the Main Intelligence Directorate of the Russian General Staff, or GRU.

Google says Chinese hackers are targeting US government Gmail accounts>Microsoft says it took down a Russian cyberattack against Ukraine>These are the best antivirus software right now

The group has been distributing Graphite via this technique since early September, the researchers believe, further adding that its most likely targets are organizations in defense and government sectors, of countries in the EU, as well as Eastern Europe.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Ever since the invasion of Ukraine, the cyber-war between Russia and the West has intensified. In mid-April this year, Microsoft reported taking down seven domains that Russian cybercriminals were using in cyberattacks against Ukrainian targets, mostly government institutions and the media.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Latest Google Pixel update includes surprise launch of Android 15’s best battery feature