Fancy Bear, aka APT28, is a Russian state-sponsored threat actor. The group is back in action and utilizing a new code execution method that exploits mouse movement in MS PowerPoint files to distribute Graphite malware.
For your information, APT28/Fancy Bear is linked with a Russian military intelligence unit called GRU. This is the same group that was blamed for hacking MH17 flight crash investigators with a spear-phishing campaign in October 2016. In 2018, the group was accused of sending death threats to US army wives posing as ISIS.
According to threat intelligence firm Cluster 25, Fancy Bear used mouse movements in MS PowerPoint presentations to execute a malicious PowerShell script. The group leverages the SyncAppvPublishingServer utility for this purpose.
In its technical report, Cluster25 stated that the attack starts right after the user runs the presentation mode and uses the mouse. A PowerShell script is run, and a dropper from OneDrive is downloaded and executed.
The .ppt files have two slides with instructions in French and English, while the interpretation option is available in the Zoom app. The image file is an encrypted DLL file, which is decrypted and dropped in the ‘C:\ProgramData\’ directory,’ it is run later through rundll32.exe, and a registry key is also created to ensure persistence.
The dropper is a harmless-looking image file that functions as a pathway for a follow-on payload. This is a Graphite malware variant. It uses the Microsoft Graph API and OneDrive to carry out C2 communications and retrieve additional payloads. Fancy Bear uses a valid OAuth2 token and a fixed client ID to access the service.
More Fancy Bear News
- Anti-theft software LoJack hijacked by Fancy Bear
- Republican & Conservative leaders targeted by Fancy Bear
- Fancy Bear Spy on VIP Hotel Guests with Leaked NSA Tool
- Fancy Bear’s VPNfilter malware is back with 7 new modules
- Hackers alter stolen emails for clandestine attacks against Putin’s critics
Attack Method Analysis
The attack, according to the company’s report, entails using a lure document with a template linked to the Parish-based entity OECD (Organization for Economic Co-operation and Development).
Researchers noted that these attacks are ongoing since the URLs used in the attack were active between August and September. However, they also said that hackers had started prepping for the campaign in January.
“When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.”Cluster 25
this campaign’s potential targets include individuals and organizations in the government and defense sectors. Fancy Bear is primarily targeting entities in Eastern Europe and Europe. This indicates that Fancy Bear aims to achieve specific objectives, considering the geographic focus of the gang.