Researchers from Cluster25 believe APT28, a Russian state-sponsored threat group, is using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations (T1566.001, T1204.002), which in turn triggers a malicious PowerShell script (T1059.001). While most Microsoft Office-based attacks require malicious macros, this new technique does not, making it especially dangerous.

“The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide. Inside the PPT file, there are two slides, both featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app” (Bleeping Computer, 2022).

The PPT file contains a hyperlink (T1204.001) which acts as a trigger for launching PowerShell scripts using the SyncAppvPublishingServer utility (T1569). This technique has been around since June 2017, but this is the first time researchers have seen it used inside an Office document without malicious macros. The campaign appears to have taken place between January and February of this year and then again in August in September with new URLs.

According to Cluster 25, the activity they have attributed to APT28 is using the PowerPoint mouse-over technique to deliver the Graphite malware. The campaign has targeted entities in the defense and government sectors of the European Union and Eastern Europe.

Never let your guard down when it comes to your digital security. Have questions about securing your network and providing the latest in digital security awareness training? Contact Citynet or call us: 1.844.CITYNET.