Multiple hacking collectives are been actively using Microsoft Graph API to hide their communications with command & control (C2) infrastructure hosted on Microsoft cloud services, cybersecurity researchers from Symantec Threat Hunter Team have revealed.
The researchers claim that for two and a half years now, groups such as APT28, REF2924, Red Stinger, Flea, APT29, and Oilrig, have been using this technique to remain out of sight. Among the targets is an unnamed organization from Ukraine, which was infected by a previously unknown malware variant dubbed BirdyClient.
The method of using Microsoft Graph APIs to hide malware communications was first seen in June 2021, but only picked up speed a year later.
Trusted and cheap
Symantec’s researchers believe hacking groups are opting for Microsoft cloud services to host malware, due to the company’s good standing. This kind of traffic isn’t going to raise any alarms, they argue:
“Attacker communications with C&C servers can often raise red flags in targeted organizations,” Symantec said. “The Graph API’s popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions.”
There’s also the question of costs: “In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free.”
APT28 is an infamous Russian state-sponsored threat actor that’s been observed abusing Microsoft solutions in the past. In mid-March this year, a report from IBM’s X-Force claimed the group was abusing the “search-ms” URI protocol handler to deploy malware to phishing victims. While its victims may vary from campaign to campaign, it always aligns with the interests of the Russian federation. Hence, the victims are often located in Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, the U.S., and others.
Via The Hacker News