Microsoft PowerPoint leveraged in Russian malware attacks

Russian state-sponsored threat group APT28, also known as Fancy Bear, has been spreading the Graphite malware using a novel code execution approach involving mouse movement in Microsoft PowerPoint files, reports BleepingComputer. Defense and government organizations in the European Union and Eastern Europe are being primarily targeted by the ongoing campaign, which had preparations commence between January and February, according to a report from Cluster25. Targets are being sent a PowerPoint file purporting to be associated with the Organization for Economic Co-operation and Development, which contains a hyperlink, which when hovered would trigger a malicious PowerShell script. Such a PowerShell script would prompt the download of a JPEG file, which is an encrypted DLL that would later retrieve and decrypt another JPEG file, which will be loaded into memory before eventually leading to the deployment of Graphite malware, said researchers. "The malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread," Cluster25 added.