Sunday, September 8, 2024
Homecyber securityHackers Exploit Microsoft Graph API For C&C Communications

Hackers Exploit Microsoft Graph API For C&C Communications

Published on

An emerging threat leverages Microsoft’s Graph API to facilitate command-and-control (C&C) communications through Microsoft cloud services. 

Recently, security analysts at Symantec discovered a previously undocumented malware called BirdyClient or OneDriveBirdyClient.

This malware targeted an organization in Ukraine. It abused Microsoft OneDrive for C&C by connecting to the Graph API to upload and download files. 

- Advertisement - EHA

While masquerading as legitimate software, the malware’s core functionality reveals an evolving technique that leverages trusted cloud services for malicious purposes by threat actors of unknown motivation and attribution.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Technical Analysis

Command-and-control (C&C) communications are becoming more and more common among attackers who take advantage of the Microsoft Graph API that was built for integrating Microsoft cloud services.

Graph API access to services such as OneDrive is used by malware families like BirdyClient, Bluelight (Vedalia/APT37 group), Backdoor.Graphon (Harvester group), and Graphite (Swallowtail/APT28 group) for C&C purposes. 

This new approach helps threat actors hide their malicious communications in legitimate cloud traffic, making detection difficult.

Advanced persistent threats that abuse unknown C&C channels created by repurposing cloud integration capabilities raise concerns about the misuse of trusted services.

Microsoft’s Graph API has become increasingly popular for command-and-control (C&C) abuse among various threat groups.

OneDrive and Microsoft 365 Mail were used by SiestaGraph to target an ASEAN country. 

Backdoor.Graphican, an evolved form of older malware, was utilized by the Flea (APT15) group in campaigns against foreign ministries where Graph API and OneDrive served as their C&C infrastructure components. 

GraphStrike is a penetration testing toolkit—one of many examples that illustrates how attackers are abusing legitimate cloud integration capabilities for malicious communication purposes, which helps them hide within trusted services. 

However, as more knowledge about this technique spreads throughout other hacking communities, we should expect authenticated API access to be misused as never before, which will create new challenges for all.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

To avoid detection, threat actors have started to use Microsoft’s Graph API as a platform for their command-and-control servers. 

This is done so that their malicious communications will seem like normal cloud activities, while at the same time providing them with free, safe hosting using ordinary cloud accounts. 

Accordingly, given its increased adoption by various threat actors aimed at ensuring continuity of operations, misusing authorized API access channels for C2 presents a growing problem that requires more alertness and innovative protection mechanisms.

IoCs

  • afeaf8bd61f70fc51fbde7aa63f5d8ad96964f40b7d7fce1012a0b842c83273e – BirdyClient
  • 5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6 – Bluelight
  • 470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3 – Graphon
  • f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 – Graphite
  • 4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5 – Graphican 
  • a78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8 – Graphican
  • 02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5  – Graphican
  • 1a87e1b41341ad042711faa0c601e7b238a47fa647c325f66b1c8c7b313c8bdf – SiestaGraph 
  • fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb – SiestaGraph
  • 7fc54a287c08cde70fe860f7c65ff71ade24dfeedafdfea62a8a6ee57cc91950 – SiestaGraph

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...