Multiple hacker collectives are actively using the Microsoft Graph API to hide their communications with the command and control (C2) infrastructure hosted on Microsoft cloud services, cybersecurity researchers from the Symantec Threat Hunter Team have revealed.
The researchers claim that groups such as APT28, REF2924, Red Stinger, Flea, APT29 and Oilrig have been using this technique for two and a half years now to stay out of sight. Among the targets is an unnamed organization from Ukraine, which was infected with a previously unknown malware variant called BirdyClient.
The method of using Microsoft Graph APIs to hide malware communications was first seen in June 2021, but didn’t gain momentum until a year later.
Familiar and cheap
Symantec researchers believe that hacking groups choose Microsoft’s cloud services to host malware because of the company’s good reputation. This kind of traffic won’t cause any alarm, they claim:
“Attackers’ communications with C&C servers can often raise red flags at targeted organizations,” Symantec said. “The popularity of the Graph API among attackers may be driven by the belief that traffic to known entities, such as commonly used cloud services, is less likely to arouse suspicion.”
There’s also the matter of cost: “Not only does it look unobtrusive, but it’s also a cheap and secure source of infrastructure for attackers, as basic accounts for services like OneDrive are free.”
APT28 is a notorious Russian state-sponsored threat actor that has been observed abusing Microsoft solutions in the past. In mid-March this year, a report from IBM’s X-Force claimed that the group was abusing the ‘search-ms’ URI protocol handler to spread malware to phishing victims. Although the casualties may vary from campaign to campaign, they always align with the interests of the Russian Federation. Therefore, the victims are often located in Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, the USA and other countries.
Through The hacker news