Hackers Leveraging OneDrive & Google Drive To Hide Malicious Traffic

Attackers, alongside with nation-converse actors, an increasing selection of leverage legitimate cloud companies and products for espionage operations, exploiting their low-profile and worth-effective nature.

The companies and products, equivalent to Microsoft OneDrive and Google Pressure, evade detection by masquerading as depended on entities, thereby enabling covert data exfiltration and instrument pattern.

Researchers chanced on a recent Scramble-essentially based mostly backdoor, GoGra, deployed against a South Asian media group in November 2023.

Leveraging the Microsoft Graph API for C2, GoGra reads encrypted email instructions from a explicit Outlook yarn, decrypts them utilizing AES-256 CBC, and executes them via cmd.exe.

OneDrive Or Google Pressure For Duvet

Attributed to the nation-converse neighborhood Harvester, GoGra shares purposeful similarities with their .NET-essentially based mostly Graphon instrument but differs in programming language, encryption key, issue space, and C2 configuration.

The Firefly espionage neighborhood exfiltrated sensitive data from a Southeast Asian militia group utilizing a custom Python wrapper for a publicly readily out there Google Pressure shopper.

By focusing on .jpg recordsdata in the System32 itemizing and utilizing a hardcoded refresh token, the attackers uploaded encrypted RAR archives containing documents, assembly notes, call transcripts, constructing plans, email folders, and financial data to a Google Pressure yarn.

A brand recent backdoor, Trojan.Grager, was used to heart of attention on organizations in Asia in April 2024, which utilized the Graph API to join with a C&C server on Microsoft OneDrive.

The attack employed a typosquatted URL disguised as a sound 7-Zip installer (hxxp://7-zip.tw/a/7z2301-x64[.]msi).

This MSI downloaded a Trojanized 7-Zip installer that set in valid 7-Zip machine alongside a malicious DLL (epdevmgr.dll), Tonerjam malware, and the encrypted Grager backdoor (data.dat).

Mandiant known Tonerjam as a launcher malware that deploys the Grager backdoor, which is linked to the suspected China-nexus espionage neighborhood UNC5330, exfiltrates plot knowledge, manages recordsdata, and executes instructions.

It specifically steals OneDrive credentials, whereas UNC5330 beforehand exploited Ivanti Join Receive VPN vulnerabilities to compromise house equipment, showcasing their animated menace landscape.

Symantec chanced on an below-pattern backdoor named MoonTag, leveraging code from a public Google Community.

The malware communicates via the Graph API and shares characteristics with the 9002 RAT, although suppose attribution to Sabre Panda is inconclusive.

Sturdy indicators mask a Chinese-speaking menace actor in keeping with code language and infrastructure. OneDriveTools is a brand recent backdoor that targets IT service corporations.

It makes employ of the Microsoft Graph API to download and bustle payloads from OneDrive, which creates a real sufferer folder, uploads the infection residing, and keeps verbal replace going via heartbeat recordsdata and issue execution on this folder.

Attackers employ Whipweave, a tunneling instrument in keeping with Free Join, to join to an Orbweaver network, which takes just correct thing regarding the rising pattern of menace actors utilizing cloud-essentially based mostly issue and management infrastructure, similar to methods utilized by completely different groups which were profitable.

Only practices to toughen security encompass blocking unused cloud companies and products, monitoring network internet site visitors for anomalies, potentially utilizing utility whitelisting, restricting cloud service entry for non-browser processes, identifying serious assets for data exfiltration monitoring, and enabling host-essentially based mostly and cloud audit logging.

IOC

d728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f – Trojan.Gogra
f1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214 – Trojan.Gogra
9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9 – Trojan.Grager
ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985 – Trojan.Grager
97551bd3ff8357831dc2b6d9e152c8968d9ce1cd0090b9683c38ea52c2457824 – Trojan.Grager
f69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274 – Trojan.Ondritols
582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede – Trojan.Ondritols
79e56dc69ca59b99f7ebf90a863f5351570e3709ead07fe250f31349d43391e6 – Trojan.Ondritols
4057534799993a63f41502ec98181db0898d1d82df0d7902424a1899f8f7f9d2 – Trojan.Ondritols
a76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6 – Trojan.Moontag
527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14 – Trojan.Moontag
fd9fc13dbd39f920c52fbc917d6c9ce0a28e0d049812189f1bb887486caedbeb – Trojan.Moontag
30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982 – Whipweave
hxxp://7-zip.tw/a/7z2301-x64[.]msi - Trojan.Grager download URL
hxxp://7-zip.tw/a/7z2301[.]msi - Trojan.Grager download URL
7-zip[.]tw – 7-Zip typosquatted domain
103.255.178[.]200 – MoonTag C&C
157.245.159[.]135 – Whipweave C&C
89.42.178[.]13 – Whipweave C&C
30sof.onedumb[.]com – Whipweave C&C