May 03, 2024NewsroomCloud Security / Threat Intelligence

Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection.

This is done to “facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services,” the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.

Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig.

The first known instance of Microsoft Graph API prior to its wider adoption dates back to June 2021 in connection with an activity cluster dubbed Harvester that was found using a custom implant known as Graphon that utilized the API to communicate with Microsoft infrastructure.

Symantec said it recently detected the use of the same technique against an unnamed organization in Ukraine, which involved the deployment of a previously undocumented piece of malware called BirdyClient (aka OneDriveBirdyClient).

A DLL file with the name “vxdiff.dll,” which is the same as a legitimate DLL associated with an application called Apoint (“apoint.exe”), it’s designed to connect to the Microsoft Graph API and use OneDrive as a C&C server to upload and download files from it.

The exact distribution method of the DLL file, and if it entails DLL side-loading, is presently unknown. There is also no clarity on who the threat actors are or what their ultimate goals are.

“Attacker communications with C&C servers can often raise red flags in targeted organizations,” Symantec said. “The Graph API’s popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions.

“In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free.”

The development comes as Permiso revealed how cloud administration commands could be exploited by adversaries with privileged access to execute commands on virtual machines.

“Most times, attackers leverage trusted relationships to execute commands in connected compute instances (VMs) or hybrid environments by compromising third-party external vendors or contractors who have privileged access to manage internal cloud-based environments,” the cloud security firm said.

“By compromising these external entities, attackers can gain elevated access that allows them to execute commands within compute instances (VMs) or hybrid environments.”