Cluster25 researchers collected and analyzed a lure document used to implant a variant of Graphite malware, uniquely linked to the threat actor known as APT28 (aka Fancy Bear, TSAR Team). This is a threat group attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. The lure document is a PowerPoint file that exploits a code execution technique, which is designed to be triggered when the user starts the presentation mode and moves the mouse. The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.

INSIGHTS

According to lure document metadata, attackers used a template potentially linked to The Organisation for Economic Co-operation and Development (OECD). This organization works together with governments, policy makers and citizens in order to establish evidence-based international standards and finding solutions to a range of social, economic and environmental challenges. This is a PowerPoint file (PPT) containing two slides with the same content, the first one written in English and the second in French. The document shows instructions about the use of the Interpretation option available in Zoom.

Lure document content

This PowerPoint exploits a code execution technique that is triggered by using Hyperlinks instead of Run Program / Macro, which is designed to be triggered when the user starts the presentation mode and moves the mouse. The code that is executed is a PowerShell script shown below, which is run through the utility SyncAppvPublishingServer, and performs the download of a file from OneDrive with a JPEG extension (DSC0002.jpeg). This in turn is a DLL file that is later decrypted and written to the local path C:ProgramDatalmapi2.dll.

PowerShell Script

The full URL used to download the DLL is reported below:

and the execution of the downloaded DLL via the tool rundll32.exe.

The following syntax is responsible to perform the whole set of operations:

A new file, again with a JPEG extension (DSC0001.jpeg), is downloaded and decrypted using the RSA and AES Cryptographic Provider from WinCrypt APIs, with a hardcoded public key. Then, the malware dynamically calls the API NtAllocateVirtualMemory and then writes and executes the decrypted content in the newly allocated memory region. Similarly, the imported code dynamically calls VirtualAlloc to allocate a new region of memory in which a new PE file is copied. Finally, it passes the execution to the region of memory in which the copied PE is allocated, as evidence reported following:

The code in the injected PE creates another mutex having the name 42Htb600y. The malware proceeds to de-obfuscate strings using a XOR loop and using a different XOR key for each string. The following is an exhaustive list of de-obfuscated strings:

C&C COMMUNICATIONS

The malware communicates with the Command and Control (C&C) through the domain graph[.]Microsoft[.]com, i.e. abusing the Microsoft Graph service, which is the API Web RESTful that provides access to Microsoft Cloud service resources. Hence, the analysis showed that the sample in question is a version of the Graphite malware, a malware using the Microsoft Graph API and OneDrive for C&C communications. The malware is known to be deployed in-memory only and served as a downloader for the post-exploitation frameworks like Empire (as documented by Trellix researchers on early 2022 here). To obtain a new OAuth2 token to access the service, the endpoint login[.]microsoftonline[.]com/common/oauth2/v2.0/token is contacted using a fixed client ID (62272a08-fe9d-4825-bc65-203842ff92bc), as evidence below:

The following is the full HTTP request to make the first connection to the C&C.

Once obtained a new OAuth2 token, the Graphite malware will query the Microsoft GraphAPIs for new commands by enumerating the child files in the check OneDrive subdirectory. If a new file is found, the content is downloaded and decrypted through an AES-256-CBCdecryption algorithm. The monitoring of task executions and the uploading of their results is managed through a dedicated thread. Finally, the malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread.

CONCLUSIONS

According to extracted metadata, attackers worked on the preparation of the campaign between January and February 2022. However, both URLs used by attackers appared active even recently (Q3 2022). In addition could be interesting to note that, according to the visibility we can dispose of, limited telemetry hits related to the collected artifacts have been catched on 25/08/2022 and 09/09/2022 from two countries of the European Union (we have no data available before 25/08/2022).

Such recent evidence could suggest some sort of activities still ongoing linked to the described threat or to some of its variants. Finally, based on several indicators, geopolitical objectives and the analyzed artifacts, Cluster25 attributes this campaign to the Russia-linked threat actor known as APT28 (aka Fancy Bear, TSAR Team, Pawn Storm, Sednit) and indicates entities and individuals operating in the defense and government sectors of Europe and Eastern Europe countries as potential targets.

ATT&CK MATRIX

INDICATORS OF COMPROMISE

DETECTION AND THREAT HUNTING

alert tcp any any -> any any (
msg:"Cluster25 APT28 Graphite CnC Communication via client_id"; 
content:"POST"; 
http_method;
content:"client_id=62272a08-fe9d-4825-bc65-203842ff92bc"; 
http_client_body; 
fast_pattern; 
sid:10001;
)

rule Powerpoint_Code_Execution_87211_00007 {
meta:
author = "Cluster25"
description ="Detects Code execution technique in Powerpoint (Hyperlink and Action)"
hash1 = "d1bceccf5d2b900a6b601c612346fdb3fa5bb0e2faeefcac3f9c29dc1d74838d"
strings:
$magic = {D0 CF 11 E0 A1 B1 1A E1}
$s1 = "local.lnk" fullword wide
$s2 = "lmapi2.dll" fullword wide
$s3 = "rundll32.exe" fullword wide
$s4 = "InProcServer32" fullword wide
$s5 = "DownloadData" fullword wide
$s6 = "SyncAppvPublishingServer" fullword wide
condition: ($magic at 0) and (all of ($s*)) and filesize < 10MB 
}

rule APT28_Graphite_62333_00028 : RUSSIAN THREAT GROUP {
meta:
description = "Detects Fancy Bear Graphite variant through internal strings"
author = "Cluster25"
tlp = "white"
hash1 = "34aca02d3a4665f63fddb354551b5eff5a7e8877032ddda6db4f5c42452885ad"
strings:
$ = "_LL_x64.dll" fullword ascii
$ = "qqhqx!iwwU1ptzd1WngCv9BCmVtxgFTJBPR1bJ2Ze17e0N6W3VHZC2FQOOUhu4nQ2Wrj0qLEBowQ$$" ascii
$ = "62272a08-fe9d-4825-bc65-203842ff92bc" fullword ascii
$ = "%s %04d sp%1d.%1d %s" fullword ascii
condition:
uint16(0) == 0x5a4d and
filesize < 100KB and
all of them
}