Hackers Use PowerPoint Files for 'Mouseover' Malware Delivery
Powerpoint Image

Hackers Use PowerPoint Files for ‘Mouseover’ Malware Delivery

Researchers from Cluster25 believe APT28, a Russian state-sponsored threat group, is using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations (T1566.001, T1204.002), which in turn triggers a malicious PowerShell script (T1059.001). While most Microsoft Office-based attacks require malicious macros, this new technique does not, making it especially dangerous.

“The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide. Inside the PPT file, there are two slides, both featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app” (Bleeping Computer, 2022).

The PPT file contains a hyperlink (T1204.001) which acts as a trigger for launching PowerShell scripts using the SyncAppvPublishingServer utility (T1569). This technique has been around since June 2017, but this is the first time researchers have seen it used inside an Office document without malicious macros. The campaign appears to have taken place between January and February of this year and then again in August in September with new URLs.

According to Cluster 25, the activity they have attributed to APT28 is using the PowerPoint mouse-over technique to deliver the Graphite malware. The campaign has targeted entities in the defense and government sectors of the European Union and Eastern Europe.

Never let your guard down when it comes to your digital security. Have questions about securing your network and providing the latest in digital security awareness training? Contact Citynet or call us: 1.844.CITYNET.

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

More Posts

Employee: Rafe Davis
Employee Highlight

Technical Support Center Supervisor: Rafe Davis

It’s time for another behind-the-scenes look at the employees of Citynet! Today, we are talking with Technical Support Center Supervisor Rafe Davis. How long have

QR Code Scam Image
The Latest Scams

How to Protect Yourself from QR Code Scams

QR codes are a convenient way to share information quickly and easily. However, they can also be used for malicious purposes, such as phishing scams.

Football Tech Image

Technology & Football

Football is a constantly evolving sport, and technology is playing an increasingly important role in it. We here at Citynet obviously love technology, and we