"Hackers Use PowerPoint Files for 'Mouseover' Malware Delivery"

Hackers suspected of working for Russia have begun to employ a new code execution technique involving the use of mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script. The attack does not require a malicious macro for the code to execute and download the payload. According to a report from the threat intelligence firm Cluster25, APT28, also known as Fancy Bear, used the new technique to deliver the Graphite malware. The goal of Graphite malware is to allow the attacker to load other malware into system memory. It was discovered in January by Trellix researchers who named it specifically because it employs the Microsoft Graph API to use OneDrive as a command-and-control (C2) server. The threat actor entices victims with a PowerPoint (PPT) file purportedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization dedicated to promoting global economic progress and trade. There are two slides in the PPT file, each with instructions in English and French for using the Interpretation option in the Zoom video-conferencing app. The PPT file contains a hyperlink that triggers the execution of a malicious PowerShell script via the SyncAppvPublishingServer utility. This article continues to discuss the hackers' use of PPT files to spread malware.

Bleeping Computer reports "Hackers Use PowerPoint Files for 'Mouseover' Malware Delivery"