- Cybersecurity researchers analyzed a lure document used to implant a variant of Graphite malware linked to the threat actor known as APT28.
- This PowerPoint exploits a code execution technique that is designed to be triggered when the user starts the presentation mode and moves the mouse.
- The malware communicates with the Command and Control by abusing the Microsoft Graph service to stay stealthy.
Researchers at Cluster25 announced that they analyzed a lure document, which is linked to a threat actor known as APT28 or also known as Fancy Bear or TSAR Team. The group is attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. The hackers are using a PowerPoint file as a lure document to spread the malware.
A variant of Graphite malware
The document exploits a code execution technique, which is designed to be triggered when the user activates the presentation mode and moves the mouse. It runs a PowerShell script to download and execute a dropper by using OneDrive. Then, it downloads the payload that is capable of extracting and injecting a new executable file. According to the analysis results, it is a variant of the notorious malware family, Graphite, which uses the Microsoft Graph API and OneDrive for command and control communications.
The attackers are using a template mostly linked to The Organisation for Economic Co-operation and Development. The Powerpoint file has two slides, an English and a French version of the same content. It is triggered by using Hyperlinks instead of Run Program / Macro. It is enough to mouse the mouse after starting the presentation mode to trigger the code execution.
For command and control communications, the malware uses the domain graph[.]Microsoft[.]com. It abuses the Microsoft’s Graph service, the API Web RESSTful that provides access to cloud service resources. To obtain a new OAuth2 token to access the service, the endpoint login[.]microsoftonline[.]com/common/oauth2/v2.0/token is contacted using a fixed client ID. Once it is obtained, it will query the Microsoft GraphAPIs for new commands. If a new file is found in the OneDrive subdirectory, it is downloaded and decrypted through an AES-256-CBCdecryption algorithm. In the final step, the malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread. Cluster25 said,
« According to extracted metadata, attackers worked on the preparation of the campaign between January and February 2022. However, both URLs used by attackers appared active even recently (Q3 2022). In addition could be interesting to note that, according to the visibility we can dispose of, limited telemetry hits related to the collected artifacts have been catched on 25/08/2022 and 09/09/2022 from two countries of the European Union (we have no data available before 25/08/2022).
Such recent evidence could suggest some sort of activities still ongoing linked to the described threat or to some of its variants. Finally, based on several indicators, geopolitical objectives and the analyzed artifacts, Cluster25 attributes this campaign to the Russia-linked threat actor known as APT28 (aka Fancy Bear, TSAR Team, Pawn Storm, Sednit) and indicates entities and individuals operating in the defense and government sectors of Europe and Eastern Europe countries as potential targets. »