The Russian state-sponsored risk actor often known as APT28 has been discovered leveraging a brand new code execution methodology that makes use of mouse motion in decoy Microsoft PowerPoint paperwork to deploy malware.
The method “is designed to be triggered when the person begins the presentation mode and strikes the mouse,” cybersecurity agency Cluster25 stated in a technical report. “The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.”
The dropper, a seemingly innocent picture file, features as a pathway for a follow-on payload, a variant of a malware often known as Graphite, which makes use of the Microsoft Graph API and OneDrive for command-and-control (C2) communications for retrieving further payloads.
The assault employs a lure doc that makes use of a template probably linked to the Organisation for Financial Co-operation and Growth (OECD), a Paris-based intergovernmental entity.
Cluster25 famous the assaults could also be ongoing, contemplating that the URLs used within the assaults appeared lively in August and September, though the hackers had beforehand laid the groundwork for the marketing campaign between January and February.
Potential targets of the operation seemingly embody entities and people working within the protection and authorities sectors of Europe and Japanese Europe, the corporate added, citing an evaluation of geopolitical goals and the gathered artifacts.
This isn’t the primary time the adversarial collective has deployed Graphite. In January 2022, Trellix disclosed the same assault chain that exploited the MSHTML distant code execution vulnerability (CVE-2021-40444) to drop the backdoor.
The event is an indication that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its strategies for optimum influence as exploitation routes as soon as deemed viable (e.g., macros) stop to be worthwhile.