Fichier PowerPoint malveillant - Septembre 2022

hovering over a link to infect your PC

Cybercriminals are using a new code execution technique to infect Windows computers with just a PowerPoint presentation and the flick of a mouse! Explanations.

According to a report by the company Cluster25, this new attack campaign is led by the APT28 group, nicknamed “Fancy Bear” and associated with Russia. This attack is intended to be particularly stealthy, because it does not require the use of a malicious macro to download and execute the malicious payload, in this case here le malware Graphite.

PowerPoint Mouse over - Attaque

Cybercriminals use a malicious PowerPoint file in the colors of the OECD organization (Organisation for Economic Co-operation and Development). According to Wikipedia, it is “of an international organization for economic studies, whose member countries — mostly developed countries — have in common a system of democratic government and a market economy.

In this PowerPoint file, there are two slides, one with instructions in English and the other in French, for the purpose of providing information on the use of the interpretation option in the Zoom video conferencing application. This file contains a hyperlink that calls a malicious PowerShell script from the S utilityyncAppvPublishingServer. Obviously, this is a known technique and already documented in 2017, as shown in this article.

According to the researchers, this campaign of attacks targets the countries of the European Unionand more specifically entities in the defense sector, as well as government entities.

How is the machine infected?

By opening the PowerPoint document in presentation mode, a user’s machine can be infected simply by hovering their mouse over the wrong place ! Indeed, if the user hovers his mouse over the hyperlink embedded in the presentation, a PowerShell script runs and it downloads the JPEG file “DSC0002.jpeg” from a OneDrive account. This file is not a simple image since it is an encrypted DLL (lmapi2.dll) which is then decrypted and stored in the “C:\Program Data\” folder before being launched by rundll32.exe. In addition, a registry key is created for the persistence side.

This first process downloads and decrypts a second JPEG image, on the same principle as the first. Finally, the malicious Graphite strain is executed on the infected machine. To communicate with the C2 infrastructure, the malware relies on Microsoft Graph API and OneDrive, using OAuth2 token-based authentication. This OneDrive space serves as a repository to deploy new payloads to the infected machine. Remote command execution is also possible.


Logiciel – OS,Sécurité,Malware,PowerPoint,

#hovering #link #infect

Leave a Comment

Your email address will not be published. Required fields are marked *