Hackers trigger malicious Powershell script through mouse movements in PowerPoint presentations.
Russian hackers have allegedly launched a spying campaign.
Hackers allegedly from Russia have developed a new technique to execute malware code. The attack requires a malicious macro to run the malicious code and download the payload. The hackers achieve this by moving the mouse in Microsoft’s PowerPoint presentation software.
Powerpoint file with hyperlink
As the security company Cluster25 reports, this technology was first used on September 9, 2022. This is how the hacker group APT28 spread the Graphite malware. This allows attackers to load other malware into the system memory. The hacker group sends its victims a Powerpoint file that supposedly comes from the Organization for Economic Co-operation and Development (OECD). This file explains the interpreter options in the Zoom video conferencing app on two slides in English and French. Also included in the PPT file is a hyperlink that launches the malicious Powershell script with the SyncAppvPublishingServer utility. According to Cluster25, the campaign was planned by the hackers back in January and February 2022. The URLs used in the attacks were then active in August and September.
Espionage campaign in the EU and Eastern Europe
The security experts at Cluster25 assume that the attacks are part of an espionage campaign by the Russian government. The attackers have targeted defense and government facilities in Eastern Europe and the European Union.