Hackers use PowerPoint files for 'mouseover' malware delivery

This article was updated on 9/29/22 with new information that Microsoft fixed a vulnerability in 2021 tracked as CVE-2021-40444 that also prevents this PowerPoint exploit from working. If you have installed Windows Updates since then, your device is secure.

Hackers believed to work for Russia have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script.

No macro is necessary for the malicious code to execute and download the payload, for a more insidious attack.

A report from threat intelligence company Cluster25 says that APT28 (a.k.a. ‘Fancy Bear’), a threat group attributed to the Russian GRU (Main Intelligence Directorate of the Russian General Staff), have used the new technique to deliver the Graphite malware as recently as September 9.

The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental entity working towards stimulating worldwide economic progress and trade.

Inside the PPT file there are two slides, both featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app. 

The PPT file contains a hyperlink that acts as a trigger for launching a malicious PowerShell script using the SyncAppvPublishingServer utility.

An early version of this technique has been documented since June 2017. Multiple researchers explained at the time how the infection works without a malicious macro nested inside an Office document (1, 2, 3, 4).

Based on the metadata found, Cluster25 says that the hackers have been preparing the campaign between January and February, although the URLs used in the attacks appeared active in August and September.

The researchers say that the threat actor targets entities in the defense and government sectors of countries in the European Union and Eastern Europe and believe that the espionage campaign is ongoing.

Infection chain

When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.

The JPEG is an encrypted DLL file (lmapi2.dll), that is decrypted and dropped in the 'C:\ProgramData\' directory, later executed via rundll32.exe. A registry key for persistence is also created for the DLL.

Next, lmapi2.dll fetches and decrypts a second JPEG file and loads it into memory, on a new thread previously created by the DLL.

Cluster25 details that each of the strings in the newly fetched file requires a different XOR key for deobfuscation. The resulting payload is Graphite malware in portable executable (PE) form.

Graphite abuses the Microsoft Graph API and OneDrive to communicate with the command and control (C2) server. The threat actor accesses the service by using a fixed client ID to obtain a valid OAuth2 token.

With the new OAuth2 token, Graphite queries the Microsoft GraphAPIs for new commands by enumerating the child files in the check OneDrive subdirectory, the researchers explain.

“If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm,” Cluster25 says, adding that "the malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread.”

Graphite malware's purpose is to allow the attacker to load other malware into system memory. It has been documented back in January by researchers at Trellix, a merger of McAfee Enterprise and FireEye, who named it so specifically because it leverages the Microsoft Graph API to use OneDrive as C2.

The campaign that Trellix investigated used an Excel documents titled "parliament_rew.xlsx" and "Missions Budget.xlsx" that appeared to target government employees and individuals in the defense industry.

Based on code similarities with malware samples from 2018, targeting, and the infrastructure used in the attacks, Trellix has attributed Graphite to APT28 with low to moderate confidence.

Update 9/29/22:

Before publishing this article, BleepingComputer attempted to confirm if Microsoft fixed the PowerPoint bug described in this attack. Unfortunately, while we found numerous writeups about the bug and its variants, none of them indicated that it was fixed.

Furthermore, a writeup from 2020 about a similar issue said that Microsoft was aware of the bug but was not fixing it as it "requires social engineering attack," which is a typical response from Microsoft regarding vulnerabilities like this one.

However, soon after publishing the story, BleepingComputer was contacted by Will Dormann, who said that documents downloaded from the Internet, or a mail client, will contain a Mark-of-the-Web.

This MoTW would cause Microsoft Office to open the document in Protected View and display a warning explaining that the mouseover may trigger a "potential security concern," as shown in Dormann's tweet below.

While it does not appear that Microsoft ever fixed the mouseover exploit, Dormann says a Windows security update for CVE-2021-40444 prevents extensions as being used as URIs, which this exploit relied on.

Therefore, while there appears to be a recent attack using this vulnerability, you will not be affected if you regularly install Windows security updates.

However, if you do not regularly install updates on your devices and have not done so since the September 2021 Patch Tuesday, you are vulnerable to this exploit and many others.