APT28 Abuses PowerPoint Mouse Movement to Avoid Macros

Researchers from Cluster25 Threat Intel Team have uncovered a new infection chain from the Russian threat group, APT28 (aka Fancy Bear, Tsar Team). The threat group is abusing the mouse movement feature in Microsoft PowerPoint to facilitate the execution of a malicious PowerShell script. The attack is unique as macros are not needed for code execution and payload download. The infection chain observed on September 9th, 2022, has been used to deliver Graphite malware. The malicious PowerPoint file used by the threat actors was seen to be linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization promoting economic growth. "This PowerPoint exploits a code execution technique that is triggered by using Hyperlinks instead of Run Program / Macro, which is designed to be triggered when the user starts the presentation mode and moves the mouse." The SyncAppvPublishingServer utility is used to execute a PowerShell script and downloads additional DLL payloads from OneDrive, although the files would initially have JPEG extensions. The downloaded DLL files would be added to the registry for persistence and the malware would be loaded into the host's memory under a new thread that had been created by the DLL file. "The malware communicates with the Command and Control (C&C) through the domain graph[.]Microsoft[.]com, i.e. abusing the Microsoft Graph service, which is the API Web RESTful that provides access to Microsoft Cloud service resources. Hence, the analysis showed that the sample in question is a version of the Graphite malware, malware using the Microsoft Graph API and OneDrive for C&C communications." A fixed client ID is used to obtain an OAuth2 token to enable the service from Microsoft resources.