Hackers use new code execution techniques to deliver Graphite malware

Share post:

According to a report by the threat intelligence company Cluster25, APT 28 (aka Fancy Bear), a threat group linked to the Russian GRU is using a new technique to deliver the Graphite malware.

The technique uses a mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script. It does not require malicious macros to download and execute payloads.

The attackers lure with a PowerPoint (.PPT) file, which is allegedly linked to the Organization for Economic Co-operation and Development (OECD). The PPT file contains two slides with instructions in English and French. The PPT file contains a hyperlink that serves as a trigger for launching a malicious PowerShell script using the SyncAppvPublishingServer utility.

As soon as the victim moves the mouse over a hyperlink while trying to open the lure document, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.

The JPEG, an encrypted DLL file (lmapi2.dll) is decrypted and dropped in the ‘C:\ ProgramData\’ directory. It is later executed via rundll32.exe while a registry key, which guarantees the persistence, will also be created for the DLL.

“If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm. The malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread,” Cluster25 said.

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Security research team claims to have helped avert a major supply chain attack

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

What is Ticketmaster saying to its customers?

Here's the letter that has been sent out out to Ticketmaster clients that a reader sent to me....

Cyber Security Today, July 8, 2024 – New ransomware group discovered, and summer podcast break starts

A new ransomware group is discovered. Welcome to Cyber Security Today. It's Monday July 8th, 2024. I'm Howard Solomon,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways