Hackers Use Mouse Movement in Microsoft PowerPoint Presentations to Deliver Malware

There is a new code execution technique being used by hackers who are thought to be working for Russia as reported by the security analysts at Cluster25. 

An attack of this type makes use of mouse movement to launch a malicious PowerShell script on the computer after a PowerPoint presentation has been opened.

To create a more insidious attack, the malicious code does not require any macro to execute so that it can download the payload and execute the malicious code.

According to the report, Graphite malware was delivered into the system as recently as September 9 using the newly developed APT28 (aka Fancy Bear, TSAR Team) delivery technique.

In July 2018, the U.S. government published a report claiming that this threat group is affiliated with the Russian General Staff’s Main Intelligence Directorate.

Technical Analysis

An allegedly OECD-related .PPT file is used by the threat actor to lure targets. This is an international government organization that works for the advancement of economic growth and trade throughout the world.

There are two slides included in the presentation, both of which contain instructions in both English and French languages. In the Zoom video-conferencing app, there is an option called Interpretation that can be used to use it. 

Using the SyncAppvPublishingServer utility, a malicious PowerShell script is launched through the hyperlink in the PPT file. Since June 2017, there has been documentation of this technique available online.

As soon as the victim hovers a mouse over a hyperlink in the lure document when it is in presentation mode, it will open a malicious PowerShell script. 

Secondly, the threat actor downloaded a JPEG file from a Microsoft OneDrive account (“DSC0002.jpeg”) with the help of this malicious script.

It is then converted into a DLL file that will be decrypted and placed in the path C:\ProgramData\lmapi2.dll on the local machine. 

There is a 64-bit PE file named lmapi2.dll that is used as the DLL file. As a result of this file, a new thread will be created alongside a new mutex, entitled 56rd68kow, that will be used to control it.

Further, for the purpose of communicating with the C2 server, Graphite utilizes the following two elements:-

  • Microsoft Graph API
  • OneDrive

To obtain a valid OAuth2 token, the threat actor uses a fixed client ID that can be used to access the service. In the check OneDrive subdirectory, Graphite enumerates the child files of the new OAuth2 token, and queries the Microsoft GraphAPIs for new commands.

This malware is designed to enable the attacker to load other malware into the memory of the system in order to gain control over the system.

Download Free SWG – Secure Web Filtering – E-book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.