PowerPoint again a popular malware delivery vector

Fancy Bear hacking group is running a new malware campaign with email messages containing PowerPoint files, as reported by Cluster25, a threat intelligence firm.

The malicious messages contain a Powerpoint presentation that appears to be affiliated with the Organization for Economic Co-operation and Development (OECD). This file exploits a code execution technique, which is designed to be triggered when the user starts the presentation mode and moves the mouse over a link. The code execution runs a PowerShell script (via the native SyncAppvPublishingServer.exe utility), that downloads and executes a dropper from OneDrive.

The malware family dropped is called Graphite, which uses the Microsoft Graph API and OneDrive for C&C communications.

Some notes:

• Why Onedrive and Graph API? OneDrive and MS Graph API invocations will usually be less scrutinized by network security devices and often tend to be trusted within an organization. Better chance of success and of avoiding detection.

• Why mouseover event to download malware? It's useful from an attacker's point as it does not require explicit clicking, just scrolling the mouse over a link. Also, using link mouseover does not rely on Macros. These are increasingly blocked and suppressed by Microsoft's recent steps to restrict Macro enabled documents in email attachments, so mouseover triggered downloads appear as a good alternative.

• Office Protected View (enabled by default in new Office versions) will not allow the resulting script to run, which is good news. However, attackers rely on some users disabling the Protected View and some might still running older Office versions without the Protected view feature.

• Conclusion: to ensure proper protection, endpoint monitoring should detect abnormal invocations of SyncAppvPublishingServer.exe performing web downloads. Again, endpoint detection and response (EDR) to the rescue.