Analysis Summary

Threat actors are increasingly exploiting the Microsoft Graph API as a means to establish and maintain communication with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.

This tactic has been observed among various nation-state-aligned threat groups since January 2022, including APT28, APT29, OilRig, and others. The strategy involves leveraging legitimate APIs to avoid detection, with recent instances highlighting the deployment of previously undocumented malware like BirdyClient.

The cybersecurity analysts said, "The malware found in Ukraine appeared to be named BirdyClient or OneDriveBirdyClient by its developers because references to both names were found in its code."

In one instance, researchers discovered an attack on an unnamed Ukrainian organization involving BirdyClient, which utilizes the Microsoft Graph API to interface with OneDrive for C&C operations. Notably, attackers use a malicious DLL named "vxdiff.dll," posing as a legitimate component of the Apoint application to connect discreetly to the Graph API. This tactic not only enables stealthy communications but also leverages widely used cloud services like OneDrive often escaping suspicion due to their commonplace nature.

The adoption of the Graph API for C&C operations represents a strategic shift by threat actors, aiming to exploit its perceived inconspicuousness and cost-effectiveness. By utilizing APIs tied to well-known services, attackers can potentially evade traditional security measures that flag unusual network traffic. Moreover, the availability of free basic accounts for cloud services like OneDrive makes them attractive infrastructure sources for malicious activities.

In parallel, broader cybersecurity concerns extend to cloud environments, where attackers exploit trusted relationships or compromised third-party entities to gain elevated access. A cloud security firm highlighted the risk posed by adversaries with privileged access, who leverage compromised external entities to execute commands within compute instances or hybrid environments. This underscores the complex nature of modern cyber threats, where attackers exploit both technical vulnerabilities and human relationships to infiltrate and operate within cloud infrastructures.

Impact

• Privilege Escalation
• Security Bypass

Indicators of Compromise

SHA1

• 2da52586e89a60daf38d72fdcab6b4c4874f653a
• a210fed76436c11d14629947f9918061d81d3263
• 10d02cf4a73b73628c258d69dbd1a400631e0eb9
• 5222eb4ee7842919dbc827ed1f83b61c32bf2a54
• c8fbb7c0522a092239ca1eacf7a08e850fbea630
• d100ed0899ad0a669bfce037d449687aa35b85ac
• a619b6102d187c09bd113780a3635f9151e91e89
• 991a95da7b5379bcd872c954e627e2aaa6e07f6d
• 44d6d2c4f9567aaa709c65e799a976905b1e1bd0

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Ensure that your operating system and all applications are up to date with the latest security patches and updates to prevent vulnerabilities that can be exploited by malware.
• Implement two-factor authentication for your online accounts to provide an additional layer of security.
• Avoid downloading and installing pirated software, as these sites are often a source of malware infections.
• Educate yourself and your employees on safe computing practices, such as being cautious when opening emails and downloading attachments, to prevent future infections.