An attack of this type makes use of mouse movement to launch a malicious PowerShell script on the computer after a PowerPoint presentation has been opened.
To create a more insidious attack, the malicious code does not require any macro to execute so that it can download the payload and execute the malicious code.
According to the report, Graphite malware was delivered into the system as recently as September 9 using the newly developed APT28 (aka Fancy Bear, TSAR Team) delivery technique.
Using the SyncAppvPublishingServer utility, a malicious PowerShell script is launched through the hyperlink in the PPT file. Since June 2017, there has been documentation of this technique available online.
As soon as the victim hovers a mouse over a hyperlink in the lure document when it is in presentation mode, it will open a malicious PowerShell script.
Secondly, the threat actor downloaded a JPEG file from a Microsoft OneDrive account (“DSC0002.jpeg”) with the help of this malicious script.
It is then converted into a DLL file that will be decrypted and placed in the path C:ProgramDatalmapi2.dll on the local machine.
There is a 64-bit PE file named lmapi2.dll that is used as the DLL file. As a result of this file, a new thread will be created alongside a new mutex, entitled 56rd68kow, that will be used to control it.
Further, for the purpose of communicating with the C2 server, Graphite utilizes the following two elements:-
- Microsoft Graph API
To obtain a valid OAuth2 token, the threat actor uses a fixed client ID that can be used to access the service. In the check OneDrive subdirectory, Graphite enumerates the child files of the new OAuth2 token, and queries the Microsoft GraphAPIs for new commands.
This malware is designed to enable the attacker to load other malware into the memory of the system in order to gain control over the system.