How to avoid the Russian PowerPoint cyber scam

Power point icon

A cybercriminal linked to the Russian state, known as Fancy Bear – although he is also known by other names, such as APT28, Pawn Storm or Tsar Team – has put national security services and anonymous citizens around the world in check with an online scam that uses a program as widely used as Power Point to trick users into falling into his trap.

Cybercriminals mainly target security and government-related users

The scam takes advantage of mouse movement in Microsoft PowerPoint cheat documents to install viruses and malware on both corporate computers and personal users’ computers. This occurs as soon as the user starts PowerPoint presentation mode and performs any mouse movement on the document.

The cybercriminal attacks all types of users, but one of the primary targets of the scam are entities and professionals working in the defense and government sectors of major Western European and Eastern European countries.

To trick these users, the attack employs a booby-trapped document that makes use of a PowerPoint template linked to the Organization for Economic Cooperation and Development (OECD).

As pointed out by cybersecurity company Nunsys, how the scam works is as follows: the malware executes a PowerShell tool script, which downloads and activates a dropper from the OneDrive storage solution.

Said “dropper”, a seemingly harmless image file, functions as a way to embed a persistent file or “payload”, a variant of a malware known as Graphite, which uses Microsoft Graph API and OneDrive for command and control (C&C) communications to obtain information.

Given that the URLs used in the most recent attacks appeared active in the months of August and September of the year – although threats have been found since last January – it is more than possible that more attacks are currently underway.

It is therefore necessary to exercise extreme caution, not only among professionals in the defense and government sectors, but also in other industries and even on a personal level, as PowerPoint is a tool widely used by all companies, in all sectors, and by individual users.

At the corporate level, having EDR (endpoint detection and response, i.e. the employee’s computing device) tools to monitor device-to-device and network traffic and protect the workplace is essential.

Similarly, it is necessary to prohibit the use of macros in office documents that come from untrusted sources and to disable command line (“powershell”) in user profiles that do not require it.

Having the latest security patches for the operating system being used, always using the latest version, as well as securing the backup system and having a reliable firewall are essential to protect against the Russian PowerPoint cyber scam.

Click to rate this entry!
(Votes: 0 Average: 0)

Leave a Comment