Hackers use new code execution techniques to deliver Graphite malware

According to a report by the threat intelligence company Cluster25, APT 28 (aka Fancy Bear), a threat group linked to the Russian GRU is using a new technique to deliver the Graphite malware.

The technique uses a mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script. It does not require malicious macros to download and execute payloads.

The attackers lure with a PowerPoint (.PPT) file, which is allegedly linked to the Organization for Economic Co-operation and Development (OECD). The PPT file contains two slides with instructions in English and French. The PPT file contains a hyperlink that serves as a trigger for launching a malicious PowerShell script using the SyncAppvPublishingServer utility.

As soon as the victim moves the mouse over a hyperlink while trying to open the lure document, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.

The JPEG, an encrypted DLL file (lmapi2.dll) is decrypted and dropped in the ‘C:\ ProgramData\’ directory. It is later executed via rundll32.exe while a registry key, which guarantees the persistence, will also be created for the DLL.

“If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm. The malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread,” Cluster25 said.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web