Rewterz Threat Alert – APT28 Utilize PowerPoint Files To Distribute Graphite Malware – Active IOCs

Severity

High

Analysis Summary

According to researchers, the Russia-linked APT28 used a technique to deploy malware that relied on mouse movement in decoy Microsoft PowerPoint documents.

For a more stealthy attack, no malicious macro is required for the malicious code to run and download the payload.

‘A PowerShell script is launched by the code, and it downloads and runs a dropper for the Graphite malware, which initiates the attack chain when the user enters presentation mode and moves the mouse.’

When the victim opens the lure document in presentation mode and holds the mouse over a hyperlink, a malicious PowerShell script is launched, which downloads a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.

“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.”

The threat actor entices victims with a PowerPoint (.PPT) file purportedly related to the Institution for Economic Co-operation and Development (OECD), an intergovernmental organisation dedicated to promoting global economic progress and trade.

There are two slides in the PPT file, each with instructions in English and French for activating the Interpretation option in the Zoom video-conferencing app.

The JPEG is a DLL file that has been encrypted (lmapi2.dll), which is then decrypted and dropped in the  ‘C:\ProgramData\’ directory before being launched by rundll32.exe. For the DLL, a registry key is also generated for persistence.

Then, lmapi2.dll retrieves and decrypts a second JPEG file and loads it into memory, on a new thread previously started by the DLL.

The last stage of malware is a variant of Graphite, which connects with the C2 servers by exploiting the Microsoft Graph service and utilising OneDrive and the domain graph[.]Microsoft[.]com,.

Graphite malware’s objective is to allow the attacker to load additional malware into system memory. ‘It has been disclosed back in January by researchers who dubbed it such particularly because it uses the Microsoft Graph API to use OneDrive as C2.’

Researchers indicated that organizations and individuals in the defense and government sectors of European countries may have been the possible targets of this campaign.

Impact

• Malware Distribution

Indicators of Compromise

Domain Name

• 9b5uja[.]am[.]files[.]1drv[.]com
• kdmzlw[.]am[.]files[.]1drv[.]com

MD5

• ef1288de782e65d6e5bd6a327157988f

SHA-256

• be180a7c43734b7125b2d5cea7edd0174811a58113b048f5fe687db52db47fe3

SHA1

• a23efb6aa5a242c61c5d50a967a8f29da164c954

URL

https[:]//kdmzlw[.]am[.]files[.]1drv[.]com/y4mv4glUgvW9nl8z8GU71PhPw0oRtve9QpZ0pEgwJN1q_TlGY5yl5Mvkrc5rUh0
Uxxknlr1qymWyCbPrkKOFgL4CARScSn9UMhq3c5hSNOQsDOamYLmOfN61lUtQO10vxtn0I7QROJdOtQ42wDsaiACGR5Zr
mYwt0SmZkphGWQpT2gOFrsUxjg8_7QT01VTABiGr3T6xpWrTmFT5yu4toQ/DSC0001[.]jpeg?download”

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs)  in your environment utilizing your respective security controls
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.