Researchers have uncovered a brand new cyber-espionage marketing campaign that leverages a harmful PowerPoint vulnerability to ship the Graphite malware to focus on endpoints
(opens in new tab).
What makes this marketing campaign significantly harmful is the truth that the victims don’t really have to click on a hyperlink, or obtain the malware itself – a mouse hover is sufficient to set off the assault.
Cybersecurity researchers Cluster25 not too long ago noticed APT28, also called Fancy Bear, distributing a PowerPoint (.PPT) presentation pretending to come back from the Group for Financial Co-Operation and Improvement (OECD).
Within the. PPT are two slides, containing a hyperlink. When the sufferer hovers their mouse over the hyperlink, it triggers a PowerShell script, utilizing the SyncAppvPublishingServer utility, it was defined. The script
downloads a JPEG file titled DSC0002.jpeg from a Microsoft OneDrive account. The JPEG is, in reality, encrypted. DLL file is referred to as Imapi2.dll. This file later pulls and decrypts a second. JPEG – the Graphite malware in moveable executable (PE) type.
As per Media, Graphite was first found by researchers at Trellix, which described it as malware that makes use of Microsoft Graph API and OneDrive as its C2. Initially, it was being deployed in memory, and its aim was to obtain the Empire’s post-exploitation agent.
APT28 is a widely known risk factor, allegedly on Russia’s payroll. Safety consultants consider the group is a part of the Principal Intelligence Directorate of the Russian Basic Employees GRU.
The group has been distributing Graphite through this method since early September, the researchers consider, additional including that its almost certainly targets are organizations in protection and authorities sectors, of nations within the EU, in addition to Jap Europe.
Ever for reason the invasion of Ukraine, the cyber-war between Russia and the West has intensified. In mid-April this 12 months, Microsoft reported taking down seven domains that Russian cybercriminals have been utilizing in cyberattacks in opposition to Ukrainian targets, largely authorities establishments and the media.
By way of BleepingComputer
(opens in new tab)