- Joined
- Jun 21, 2020
- Messages
- 5,630
- Reaction score
- 1,363
- Points
- 1,012
- Awards
- 4
Hackers deploy their own C2 infrastructure at the company's facilities for free, and don't hesitate to use them for malicious purposes.
Cybercriminals are increasingly using the Microsoft Graph API to manage malware and bypass detection systems. According to researchers from Symantec, such actions are aimed at facilitating communication with the C2 infrastructure hosted in Microsoft cloud services.
Since January 2022, experts have been recording the active use of the Microsoft Graph API by various groups of hackers associated with different states. Among them, such threat actors as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig stand out.
The first known case of using the Microsoft Graph API was registered in June 2021. Then the use of the API was associated with a cluster of activities called Harvester, and the attacks used a specialized implant called Graphon to communicate with the Microsoft infrastructure.
Symantec recently discovered the use of the same technique against an unspecified organization in Ukraine. This incident involved a previously undocumented malware called BirdyClient (or OneDriveBirdyClient).
The software module detected during the attack is called "vxdiff.dll" and matches the name of the legitimate DLL associated with the Apoint application ("apoint.exe"). It is designed to connect to the Microsoft Graph API and use OneDrive as a C2 server for uploading and uploading files. The method of distribution of this DLL file is not yet known, as well as the final goals of cybercriminals.
According to a Symantec report, Graph API usage is popular among attackers, as traffic to well-known cloud services is less suspicious. In addition, it is a cheap and secure way for attackers to gain infrastructure, since basic accounts for services like OneDrive are provided free of charge.
There are also reports of possible abuse of cloud administration commands, which can be used by attackers to perform arbitrary actions in VMs with privileged access.
This is often achieved by compromising external contractors or contractors who have privileged access to managing internal cloud environments.
Cybercriminals are increasingly using the Microsoft Graph API to manage malware and bypass detection systems. According to researchers from Symantec, such actions are aimed at facilitating communication with the C2 infrastructure hosted in Microsoft cloud services.
Since January 2022, experts have been recording the active use of the Microsoft Graph API by various groups of hackers associated with different states. Among them, such threat actors as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig stand out.
The first known case of using the Microsoft Graph API was registered in June 2021. Then the use of the API was associated with a cluster of activities called Harvester, and the attacks used a specialized implant called Graphon to communicate with the Microsoft infrastructure.
Symantec recently discovered the use of the same technique against an unspecified organization in Ukraine. This incident involved a previously undocumented malware called BirdyClient (or OneDriveBirdyClient).
The software module detected during the attack is called "vxdiff.dll" and matches the name of the legitimate DLL associated with the Apoint application ("apoint.exe"). It is designed to connect to the Microsoft Graph API and use OneDrive as a C2 server for uploading and uploading files. The method of distribution of this DLL file is not yet known, as well as the final goals of cybercriminals.
According to a Symantec report, Graph API usage is popular among attackers, as traffic to well-known cloud services is less suspicious. In addition, it is a cheap and secure way for attackers to gain infrastructure, since basic accounts for services like OneDrive are provided free of charge.
There are also reports of possible abuse of cloud administration commands, which can be used by attackers to perform arbitrary actions in VMs with privileged access.
This is often achieved by compromising external contractors or contractors who have privileged access to managing internal cloud environments.