Hackers Use PowerPoint Files for “Mouseover” Malware: Cyber Threat Intelligence Roundup

In this week’s report, we provide an overview of a recent campaign attributed to the notorious Russian threat actor APT28 (aka Fancy Bear), which is reportedly leveraging a novel code execution technique involving minimal human interaction to launch attacks.

Next, we present a strategic intelligence write-up on Ukraine’s recent warning that Russia is planning a new wave of attacks on the country’s critical infrastructure.

Finally, we take a deep dive into a new campaign targeting multiple military contractors involved in weapon manufacturing, including a supplier engaged in manufacturing F-35 Lightning II fighter aircraft components.

1. Hackers use PowerPoint files for “mouseover” malware delivery

Cluster25 has identified a somewhat novel and rare code execution technique which relies on victims’ mouse movements within Microsoft PowerPoint to trigger a malicious PowerShell script. Researchers believe the campaign is uniquely linked to the Russian state-backed threat actor APT28, aka Fancy Bear.

The lure document observed in this campaign is a PowerPoint file that exploits an interesting code execution technique. It’s designed to be triggered when the user starts PowerPoint’s presentation mode and moves the mouse.

A report from threat intelligence company Cluster25 says that APT28 (a.k.a. ‘Fancy Bear’), a threat group attributed to the Russian GRU, have used PowerPoint files for ‘mouseover’ malware delivery https://t.co/5BEf2PM6S2 @BleepinComputer

— 780th Military Intelligence Brigade (Cyber) (@780thC) September 27, 2022

The PowerPoint lure

The PowerPoint file in question contains two slides, each containing the same content. However, the first slide is written in English and the second in French.

By all outward appearances, the document is linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working toward stimulating economic progress and trade worldwide. The slides themselves present the recipients with instructions about the use of an interpretation option native to the Zoom video-conferencing application.

The PowerPoint exploits a unique code execution technique triggered by leveraging hyperlinks as opposed to the more traditional Run Program/Macro (a possible result of Microsoft’s recent ban of certain macros by default in its Office products). The malicious code activates as a response to a minimum of user interaction — specifically when the user moves their cursor while in presentation mode.

The code execution runs a PowerShell script through the SyncAppvPublishingServer utility and then downloads and executes a jpeg file from OneDrive.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It’s certainly not unheard of for threat actors to deliver malware via Office files, though a larger number of those instances seem to leverage Excel and Word documents as opposed to PowerPoint files.”

“Like many phishing campaigns observed in recent months, this attack eschews the use of malicious macros, instead employing a clever ‘mouseover’ event as a user-generated catalyst by which malicious code is executed — although the user does not even have to physically click on the link. While this technique is not new, it is certainly rare and noteworthy and worth keeping an eye on.”

“The Herculean effort it often takes to teach employees to refrain from clicking on suspicious-looking links is one thing, but a whole new level of complexity is added when even hovering over a link can cause significant malicious activity. Revising phishing/social engineering awareness and education programs to reflect this risk is especially daunting, as the hover technique is often one of the primary defensive measures employees are taught to better ascertain a message’s legitimacy when they encounter suspected malicious emails.”

2. Russia plans “massive cyberattacks” on critical infrastructure, Ukraine warns

A recent advisory issued by Ukraine’s Ministry of Defense warns that Russian state-sponsored threat actors are planning massive cyberattacks on both the critical infrastructure facilities belonging to Ukrainian enterprises and those of Ukraine’s allies.

Ukraine warns of imminent GRU cyberattacks

The warning claims the blow will be aimed at enterprises in the energy sector. Interestingly, the warning goes on to state that they will be highly reminiscent of attacks on Ukraine’s energy systems in 2015 and 2016 when hackers operating under the auspices of Russia’s GRU (military intelligence arm) reportedly engaged in two waves of attacks – each leveraging a highly capable piece of malware.

The recent advisory follows several Ukrainian military advances resulting in the recapture of vast swaths of cities that had been under Russian control for months. Researchers also point to Russia’s recent draft (a call for the mobilization of an additional 300,000 Russian citizens to support the country’s conflict with Ukraine) as a possible catalyst for Russia’s increased reliance upon offensive cyber activity to achieve military objectives, thus avoiding placing additional strain on an ongoing military personnel shortage.

Researchers look to previous cyberattacks on Ukraine’s infrastructure

Researchers are divided when it comes to their assessments of the odds of a successful hacking campaign being waged against Ukraine’s power grid in 2022. Ukraine’s cyber defense units seem to have become more adept at detecting and preventing malicious activity within networks belonging to the organizations which comprise the country’s critical infrastructure (Ukraine’s CERT-UA’s detection of the Industroyer malware within a regional energy firm’s environment comes to mind).

Then again, reports suggest the attacks of 2015, 2016, and more recent incidents have been attributed to Russia’s state-backed Sandworm advanced persistent threat (APT) group – and one thing researchers can agree on is that Sandworm is considered one of the world’s most elite state-sponsored hacking groups.

Furthermore, if recent reporting from Mandiant and similar data from other cyber threat intelligence firms is to be believed, APTs on the Kremlin’s payroll are not the only immediate threats facing Ukraine. Cyber hacktivists with alleged links to Russia’s GRU have also made headlines lately for their distributed denial-of-service (DDoS) and defacement attacks against Ukrainian websites (experts believe that they are a front for information operations and destructive cyber activities coordinated by the Kremlin).

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Ukraine — to the surprise of much of the world — has so far maintained a strong resistance in the face of kinetic Russian military incursions. However, it remains to be seen whether Ukraine’s cyber defense forces will be able to maintain a similarly robust resistance to some of the most feared hackers in the world.”

“Certainly, the level and frequency of cyberattacks observed between the combatants involved in this ongoing conflict are unlike anything the world has ever seen. The tactics, techniques, and procedures (TTPs) on display throughout this period of instability will inevitably work their way outside the theater of operations and its cyber battlespace, proving once again that nothing happens in a vacuum, and that conflict — no matter how far away — will eventually touch us all.”

“The only question left to ask is this: what will we learn from any of this, and how will we use it?”

3. Researchers uncover covert attack campaign targeting military contractors

A recent report by Securonix Threat Labs analyzes a new campaign targeting multiple military contractors involved in weapon manufacturing, including an organization responsible for manufacturing and supplying F-35 Lightning II fighter aircraft components.

The campaign begins – as so many often do – with a phishing email to employees which leads to a multi-stage infection; the activity stands out for its secure C2 infrastructure and multiple layers of obfuscation in the attacks’ PowerShell stages.

According to Securonix, spear phishing was the primary means of initial compromise. The attack itself was carried out beginning in late summer of 2022 and targeted at least two high-profile organizations currently acting as military contractors.

The campaign leverages a malicious script which attempts to implement several persistence methods, including embedding itself into the registry, inserting itself as a scheduled task on the affected host, and leveraging WMI to create a new subscription in order to execute malicious code as command line arguments.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“While the overarching tactics leveraged in this campaign are well known to security researchers, the threat actor behind this campaign seems to have put a lot of effort into establishing solid anti-analysis techniques and counter-forensics measures. In a move largely viewed as uncharacteristic of cybercriminals behind most phishing campaigns followed by multi-stage, post-exploitation activity, this threat actor appears to have strived to maintain a significant degree of operational security (OPSEC) throughout the attack cycle, rather than focusing all its efforts on adding technical complexity to the post-exploitation phases of the operation, thus ensuring the campaign’s malware is harder to detect and analyze.”

---

For further reading, catch up on our recent cyber threat intelligence roundups.