APT28 relies on PowerPoint Mouseover to deliver Graphite malware

Pierluigi Paganini September 28, 2022

The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware.

The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware, researchers from Cluster25 reported.

Cluster25 researchers were analyzing a lure PowerPoint document used to deliver a variant of Graphite malware, which is known to be used exclusively by the APT28 group, that starts the attack chain when the user starts the presentation mode and moves the mouse.

The user action starts the execution of a PowerShell script designed to download and run a dropper from OneDrive.

“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” reads the analysis published by Cluster25.

The lure document used a template potentially linked to The Organisation for Economic Co-operation and Development (OECD), it contains two slides, written in English and French respectively, with the same content.


The dropper appears as a file with a JPEG extension (DSC0002.jpeg), it is a DLL file that is later decrypted and written to C:\ProgramData\lmapi2.dll.

The last stage malware is a version of Graphite, it communicates with the C2 servers through the domain graph[.]Microsoft[.]com, (i.e. abusing the Microsoft Graph service) and OneDrive.

The Graphite is a fileless malware that is deployed in-memory only and is used by threat actors to deliver post-exploitation frameworks like Empire.

The analysis of metadata revealed that the nation-state actors employed them in a campaign between January and February 2022. However, the researchers noticed that URLs used in the attacks appeared still active in August and September, a circumstance that suggests the campaign is still ongoing.

Potential targets of the campaign are organizations and individuals operating in the defense and government sectors of countries in Europe and Eastern Europe.

“Such recent evidence could suggest some sort of activities still ongoing linked to the described threat or to some of its variants. Finally, based on several indicators, geopolitical objectives and the analyzed artifacts, Cluster25 attributes this campaign to the Russia-linked threat actor known as APT28 (aka Fancy Bear, TSAR Team, Pawn Storm, Sednit) and indicates entities and individuals operating in the defense and government sectors of Europe and Eastern Europe countries as potential targets.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment