Cyber criminals and malicious actors are known for frequently upping the ante because of the fact that this is the sort of thing that could potentially end up helping them stay ahead of cyber security experts. It turns out that a group of hackers that are allegedly working for the Russian government are using a new technique that triggers the execution of malicious scripts based on mouse movements, and that represents a significant escalation of their practices with all things having been considered and taken into account.
A threat intelligence company by the name of Cluster25 released a report about the APT28 cybercrime group, also known as Fancy Bear. With all of that having been said and now out of the way, it is important to note that these malicious actors send power point files to their eventual victims. In almost all cases, this power point file was supposed to link to an OECD document, and it features two separate slides that contain instructions in both English as well as French.
Users will notice a hyperlink in the file, and even if they don’t click on it, simply hovering over the hyperlink would be enough to trigger the malware. It includes a PowerShell script that is malicious in nature, namely the SyncAppvPublishingServer utility.
Once the script is activated, a JPEG is immediately installed onto the system that is sourced from a Microsoft OneDrive account. This JPEG is actually an encrypted dynamic link library that is summarily decrypted, and that triggers the download of a second JPEG. This chain of malicious downloads allows the Graphite malware to get valid log in tokens by manipulating strings of code and processes.
The fact that this malware can be deployed whether or not you click on the malicious link makes it more dangerous than might have been the case otherwise. Users who are smart enough not to click on links in emails that they are not sure about would still end up getting infected, and this makes it clear that cyber security experts need to figure out how to mitigate such malware.
Read next: WhatsApp Fixes Major Security Vulnerability That Allowed Attackers To Plant Malware During Video Calls
A threat intelligence company by the name of Cluster25 released a report about the APT28 cybercrime group, also known as Fancy Bear. With all of that having been said and now out of the way, it is important to note that these malicious actors send power point files to their eventual victims. In almost all cases, this power point file was supposed to link to an OECD document, and it features two separate slides that contain instructions in both English as well as French.
Users will notice a hyperlink in the file, and even if they don’t click on it, simply hovering over the hyperlink would be enough to trigger the malware. It includes a PowerShell script that is malicious in nature, namely the SyncAppvPublishingServer utility.
Once the script is activated, a JPEG is immediately installed onto the system that is sourced from a Microsoft OneDrive account. This JPEG is actually an encrypted dynamic link library that is summarily decrypted, and that triggers the download of a second JPEG. This chain of malicious downloads allows the Graphite malware to get valid log in tokens by manipulating strings of code and processes.
The fact that this malware can be deployed whether or not you click on the malicious link makes it more dangerous than might have been the case otherwise. Users who are smart enough not to click on links in emails that they are not sure about would still end up getting infected, and this makes it clear that cyber security experts need to figure out how to mitigate such malware.
Read next: WhatsApp Fixes Major Security Vulnerability That Allowed Attackers To Plant Malware During Video Calls