Hackers suspected of working for Russia are utilizing Microsoft PowerPoint presentations (PTTs) to spread malware, using a hyperlink technique that acts as a set-off to trigger a malicious PowerShell script within the PPT.
There is no need for a malicious macro to execute or download the payload that launches a more insidious attack. According to threat intelligence company Cluster25, hackers from Fancy Bear — a group suspected of working with Russian intelligence services — implemented the new hacking technique to deliver Graphite malware on the 9th of September.
The threat actor attracts targets using a .PPT (PowerPoint) file associated with the Organization for Economic Cooperation & Development (OECD), an intergovernmental organization facilitating economic development and business globally.
The PPT file comprises 2 slides with instructions in both French and English for utilizing the ‘Interpretation’ feature in Zoom. An inserted hyperlink triggers a malicious PowerShell script using the SyncAppvPublishingServer utility. The hacking technique was first documented in June 2017.
Attackers use the technique to spread Graphite malware. The variant was documented by security company Trellix in January. Its name derives from the fact that the malware uses the Microsoft Graph API to utilize OneDrive as a command and control server.
Based on its research, Cluster25 reports that hackers were preparing their campaigns during January and February. The malicious hyperlinks used in the attacks appeared in August. The threat actors also target defence and government entities in the European Union.
Infectious malware chain
The malware is activated when someone opens the infected document in the presentation mode and hovers over the hyperlink. It automatically downloads a JPEG file from a Microsoft OneDrive account named ‘DSCooo2.jpeg’. This is an encrypted lmapi2.dll file that’s decrypted inside the C drive, which is launched later on using rundll32.exe.
Next in line is a DLL file that retrieves and decrypts another JPEG file. At the same time, it saves the file into the system’s memory on a thread that the DLL previously produced. Furthermore, Cluster25 details that these sequences require a different XOR key for deobfuscation. The resulting payload is Graphite malware, in a portable executable format.
Graphite malware gains access to a command and control server via a fixed client ID that obtains a verified OAuth2 token. Ultimately, the malware’s goal is to enable hackers to load additional malware into the system’s memory.