Attackers, including nation-state actors, increasingly leverage legitimate cloud services for espionage operations, exploiting their low-profile and cost-effective nature.
The services, such as Microsoft OneDrive and Google Drive, evade detection by masquerading as trusted entities, thereby enabling covert data exfiltration and tool development.
Researchers discovered a novel Go-based backdoor, GoGra, deployed against a South Asian media organization in November 2023.
Leveraging the Microsoft Graph API for C2, GoGra reads encrypted email commands from a specific Outlook account, decrypts them using AES-256 CBC, and executes them via cmd.exe.
OneDrive Or Google Drive For Cover
Attributed to the nation-state group Harvester, GoGra shares functional similarities with their .NET-based Graphon tool but differs in programming language, encryption key, command set, and C2 configuration.
The Firefly espionage group exfiltrated sensitive data from a Southeast Asian military organization using a custom Python wrapper for a publicly available Google Drive client.
By targeting .jpg files in the System32 directory and using a hardcoded refresh token, the attackers uploaded encrypted RAR archives containing documents, meeting notes, call transcripts, building plans, email folders, and financial data to a Google Drive account.
A new backdoor, Trojan.Grager, was used to target organizations in Asia in April 2024, which utilized the Graph API to connect with a C&C server on Microsoft OneDrive.
The attack employed a typosquatted URL disguised as a legitimate 7-Zip installer (hxxp://7-zip.tw/a/7z2301-x64[.]msi).
This MSI downloaded a Trojanized 7-Zip installer that installed genuine 7-Zip software alongside a malicious DLL (epdevmgr.dll), Tonerjam malware, and the encrypted Grager backdoor (data.dat).
Mandiant identified Tonerjam as a launcher malware that deploys the Grager backdoor, which is linked to the suspected China-nexus espionage group UNC5330, exfiltrates system information, manages files, and executes commands.
It specifically steals OneDrive credentials, while UNC5330 previously exploited Ivanti Connect Secure VPN vulnerabilities to compromise appliances, showcasing their active threat landscape.
Symantec discovered an under-development backdoor named MoonTag, leveraging code from a public Google Group.
The malware communicates via the Graph API and shares characteristics with the 9002 RAT, though direct attribution to Sabre Panda is inconclusive.
Strong indicators point to a Chinese-speaking threat actor based on code language and infrastructure. OneDriveTools is a new backdoor that targets IT service companies.
It uses the Microsoft Graph API to download and run payloads from OneDrive, which creates a unique victim folder, uploads the infection status, and keeps communication going through heartbeat files and command execution in this folder.
Attackers use Whipweave, a tunneling tool based on Free Connect, to connect to an Orbweaver network, which takes advantage of the growing trend of threat actors using cloud-based command and control infrastructure, similar to methods used by other groups that have been successful.
Best practices to improve security include blocking unused cloud services, monitoring network traffic for anomalies, potentially using application whitelisting, restricting cloud service access for non-browser processes, identifying critical assets for data exfiltration monitoring, and enabling host-based and cloud audit logging.
IOC
d728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f – Trojan.Gogra
f1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214 – Trojan.Gogra
9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9 – Trojan.Grager
ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985 – Trojan.Grager
97551bd3ff8357831dc2b6d9e152c8968d9ce1cd0090b9683c38ea52c2457824 – Trojan.Grager
f69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274 – Trojan.Ondritols
582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede – Trojan.Ondritols
79e56dc69ca59b99f7ebf90a863f5351570e3709ead07fe250f31349d43391e6 – Trojan.Ondritols
4057534799993a63f41502ec98181db0898d1d82df0d7902424a1899f8f7f9d2 – Trojan.Ondritols
a76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6 – Trojan.Moontag
527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14 – Trojan.Moontag
fd9fc13dbd39f920c52fbc917d6c9ce0a28e0d049812189f1bb887486caedbeb – Trojan.Moontag
30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982 – Whipweave
hxxp://7-zip.tw/a/7z2301-x64[.]msi - Trojan.Grager download URL
hxxp://7-zip.tw/a/7z2301[.]msi - Trojan.Grager download URL
7-zip[.]tw – 7-Zip typosquatted domain
103.255.178[.]200 – MoonTag C&C
157.245.159[.]135 – Whipweave C&C
89.42.178[.]13 – Whipweave C&C
30sof.onedumb[.]com – Whipweave C&C
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide