Hackers use new code execution techniques to deliver Graphite malware

Share post:

According to a report by the threat intelligence company Cluster25, APT 28 (aka Fancy Bear), a threat group linked to the Russian GRU is using a new technique to deliver the Graphite malware.

The technique uses a mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script. It does not require malicious macros to download and execute payloads.

The attackers lure with a PowerPoint (.PPT) file, which is allegedly linked to the Organization for Economic Co-operation and Development (OECD). The PPT file contains two slides with instructions in English and French. The PPT file contains a hyperlink that serves as a trigger for launching a malicious PowerShell script using the SyncAppvPublishingServer utility.

As soon as the victim moves the mouse over a hyperlink while trying to open the lure document, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.

The JPEG, an encrypted DLL file (lmapi2.dll) is decrypted and dropped in the ‘C:\ ProgramData\’ directory. It is later executed via rundll32.exe while a registry key, which guarantees the persistence, will also be created for the DLL.

“If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm. The malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread,” Cluster25 said.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways