A new hacker collective is on the rise with its unique way to infiltrate using a PowerPoint feature. The hacker group was identified as Russian state-sponsored “APT28” and is said to be using a new code execution method that leverages the mouse movement in Microsoft PowerPoint to deploy malware via decoyed documents.
According to sources, the mouse movement triggers a backdoor action when the user starts the presentation mode on PowerPoint. The code execution employed in the campaign, according to the Cluster25 researchers, executes a PowerShell script that automatically downloads and launches a dropper from Microsoft OneDrive.
The drop initially appears to be a typical image file with a standard image extension. However, upon opening, it functions like a pathway for a payload. The threat actor then leads the victim to Graphite malware, which uses Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.
Researchers explain Graphite malware campaign
Once the victim uses a premade template on PowerPoint, the malware links it back to the Organization for Economic Co-operation and Development (OECD), a Paris-based intergovernmental entity.
The two URLs used by the attackers, which were utilized in a campaign in August and September, were examined by Cluster25 researchers. The investigation revealed that the hackers had begun the groundwork in early 2022 and over the past two months, they have expanded their operations while continuing to run the campaign. The threat actors have mainly targeted organizations and individuals in the government and defense sectors across Europe and Eastern Europe.
The hacker collective dropped the backdoor in their initial attacks by taking advantage of the MSHTML remote code execution vulnerability (CVE-2021-40444). They ran their campaigns in late 2021 and early 2022, deploying the malware in January 2022 to initiate a similar attack.
The group goes by several identities, including the well-known APT28 and Fancy Bear and is becoming an A-grade threat to businesses as it keeps expanding its influence in underground hacking forums. The threat group is expected to use new exploitation techniques as it develops its technical spectrum to carry on its operations within industries and organizations aside from those it has already infiltrated.