VERY IMPORTANT

Researchers from the Cluster25 Threat Intel Team collected and analyzed a lure document used to implant a variant of Graphite malware, which uses the Microsoft Graph API and OneDrive for C&C communications. The lure document is a PowerPoint file that exploits a code execution technique, which is designed to be triggered when the user starts the presentation mode and moves the mouse. The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.