PowerPoint docs utilised by hackers to spread Graphite malware

October 4, 2022
PowerPoint Document Files Hackers Graphite Malware Russian Hackers APT28 FancyBear Europe

Researchers recently discovered that a Russian-speaking threat group uses Microsoft PowerPoint to distribute the Graphite malware to its targets.

Based on reports, the Russian hackers utilised a novel code execution strategy that exploits mouse movement in MS PowerPoint to activate multiple malicious PowerShell scripts.

The Russian threat group was identified as the FancyBear gang, also known as the APT28. This advanced persistent threat (APT) group is believed to be connected to the Russian GRU, which used several other techniques to disseminate the Graphite malware last month.

Cybersecurity analysts claimed that the APT28 targeted entities from several European countries, governments, and defence sectors, especially in the eastern portion.

Moreover, the hackers baited their victims with a PowerPoint file containing a subject regarding the Organisation for Economic Cooperation and Development. The file includes a couple of slides with instructions in French and English for access to the translation in Zoom.

However, the PowerPoint file has a hyperlink, an activation feature for launching a malicious PowerShell script. Subsequently, the script downloads an image that contains an encrypted DLL file. The resulting payload is Graphite malware, which enables the threat actor to load additional malware into the targeted system memory.

The image is in JPEG, an encrypted DLL file that is decrypted, included in the system memory, and run through rundll32[.]exe. The thread will continue, and every new fill will need a separate XOR key for removing the obfuscation.


The Graphite malware exploits APIs and drives to contact its remote servers.


Experts explained that the Graphite malware exploits the OneDrive and MS Graph API to communicate with its command-and-control server. In addition, the adversaries utilise a permanent client ID to acquire an authentic OAuth2 token.

The token lets Graphite review the MS Graph APIs and spot new files. The new content is downloaded and decrypted via an algorithm if the payload identifies it as a new file.

Furthermore, the malware could enable an RCE attack by reserving a new memory region and running the received shellcode by calling a new dedicated thread.

The hackers have allegedly planned this campaign since the start of the year, but the URLs utilised in the attacks were only active last month. Organisations should employ a competent security solution to prevent these breaches and mitigate similar attacks.

About the author

Leave a Reply