Hackers use PowerPoint files for 'mouseover' malware delivery

2022-09-26 18:40

Hackers believed to work for Russia have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script.

A report from threat intelligence company Cluster25 says that APT28, a threat group attributed to the Russian GRU, have used the new technique to deliver the Graphite malware as recently as September 9.

The threat actor lures targets with a PowerPoint file allegedly linked to the Organization for Economic Co-operation and Development, an intergovernmental organization working towards stimulating economic progress and trade worldwide.

With the new OAuth2 token, Graphite queries the Microsoft GraphAPIs for new commands by enumerating the child files in the check OneDrive subdirectory, the researchers explain.

"If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm," Cluster25 says, adding that "The malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread.".

Graphite malware's purpose is to allow the attacker to load other malware into system memory.

News URL

https://www.bleepingcomputer.com/news/security/hackers-use-powerpoint-files-for-mouseover-malware-delivery/

#hacker #malware

News URL

Related news