Researchers from the Cluster25 Threat Intel Team collected and analyzed a lure document used to implant a variant of Graphite malware, which uses the Microsoft Graph API and OneDrive for C&C communications. The lure document is a PowerPoint file that exploits a code execution technique, which is designed to be triggered when the user starts the presentation mode and moves the mouse. The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.
ADVERSARY: APT 28
ATT&CK IDS: T1027 - Obfuscated Files or Information, T1036 - Masquerading, T1055 - Process Injection, T1059 - Command and Scripting Interpreter, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1106 - Native API, T1112 - Modify Registry, T1140 - Deobfuscate/Decode Files or Information, T1202 - Indirect Command Execution, T1204 - User Execution, T1546 - Event Triggered Execution, T1566 - Phishing