APT28, a Russian government-backed hacker group, appears to have exploited a new code execution method based on PowerPoint’s “hover” feature.
Deploy malware on a PC by exploiting a simple feature of PowerPoint: this is what Russian hackers have obviously managed to do thanks to mouse movements on the Microsoft software.
A pernicious technique like never before
The technique ” is designed to be triggered when the user initiates presentation mode and moves the mouse “, details Cluster25, a company specializing in security whose comments were reported to us by TheHackerNews. ” Running the code launches a PowerShell script that downloads and runs a dropper from OneDrive. »
As the site indicates, the dropper in this case takes the form of a harmless-looking image file. However, it serves as a path to a tracking payload. The latter is based on a variant of a malware called Graphite which uses the Microsoft Graph API and OneDrive, already used by APT28 (also known as Fancy Bear).
Finally, the attack is orchestrated from a false document that uses a template from the OECD (Organization for Economic Co-operation and Development) located in Paris, we read.
An actively used attack
According to the report published by Cluster25, attacks exploiting this technique could be in progress. The URLs used by the latest attacks were indeed identified as being active in August and most recently in September. APT28 hackers had laid the groundwork for this method of execution between January and February, specifies TheHackerNews.
As for the question of the potential targets of this hacking technique, Cluster25 believes that individuals who work in the defense sectors or within governments in Europe and Eastern Europe seem to be targeted in the first place. A targeting that will not surprise anyone, given the current geopolitical context.
Source : TheHackerNews
0