A new cyber threat has been discovered by researchers that leverages a PowerPoint vulnerability to delivery Graphite malware to targeted machines.

The dangerous part of this campaign is that victims don’t actually have to click anything or download the malware itself. Simply hovering over the link is enough to trigger it to attacking.

Cybersecurity researchers at Cluster25 discovered APT28, also known as Fancy Bear, distributing a PowerPoint presentation that appears to originate from the Organization for Economic Co-Operation and Development (OECD).

In the aforementioned presentation, there are only two slides, containing a hyperlink. When the victim of the attack hovers over the hyperlink, a PowerShell script is triggered using the SyncAppvPublishingServer utility. The script downloads a JPEG file titled DSC0002.jpeg from a Microsoft OneDrive account. The JPEG is actually an encrypted .DLL file called Imapi2.dll. This file later pulls and decrypts a second JPEG file – the Graphite malware in portable executable form.

According to Malpedia, Graphite malware was first discovered by researchers at Trellix. They described it as malware that uses Microsoft Graph API and OneDrive as its C2. Initially, it was being deployed in-memory, and its goal was to download the Empire post-exploitation agent.

APT28 – the well-known threat actor – is allegedly on Russia’s payroll. Security experts believe the group is part of the Main Intelligence Directorate of the Russian General Staff, or GRU.

It is believe that the group has been spreading Graphite via this technique since early September. They believe their most likely targets are organizations in the defense and government sectors of the EU and Eastern Europe.

Story via Techradar.com