Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

06.05.2024

Threat actors are increasingly exploiting the Microsoft Graph API for malicious purposes in an attempt to evade detection. According to a report shared by the Symantec Threat Hunter Team, this tactic aims to enable communication with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.

Since January 2022, several nation-state-aligned hacking groups, including APT28, REF2924, Red Stinger, Flea, APT29, and OilRig, have been observed using the Microsoft Graph API for C&C activities. The first documented instance of Microsoft Graph API abuse dates back to June 2021, associated with an activity cluster known as Harvester, which utilized a custom implant called Graphon for communication with Microsoft infrastructure.

Recently, Symantec detected a similar technique being used against an unspecified organization in Ukraine, involving the deployment of a previously undisclosed malware called BirdyClient (also known as OneDriveBirdyClient). This malware employs a DLL file named ‘vxdiff.dll,’ which shares its name with a legitimate DLL associated with an application called Apoint (‘apoint.exe’). The malicious DLL is designed to interact with the Microsoft Graph API and utilize OneDrive as a C&C server for uploading and downloading files.

The exact method of distributing the DLL file, including whether it involves DLL side-loading, is currently unknown. Furthermore, the identity and motives of the threat actors remain unclear.

According to Symantec, communication between attackers and C&C servers can often raise suspicions within targeted organizations. The popularity of the Graph API among attackers may stem from the belief that traffic to well-known entities like widely used cloud services is less likely to arouse suspicion. Additionally, such services offer attackers a cost-effective and secure infrastructure, as basic accounts for platforms like OneDrive are free.

This development coincides with revelations from Permiso about how cloud administration commands could be exploited by adversaries with privileged access to execute commands on virtual machines. According to the cloud security firm, attackers often exploit trusted relationships to execute commands in connected compute instances (VMs) or hybrid environments. This is achieved by compromising third-party external vendors or contractors who possess privileged access to manage internal cloud-based environments. By compromising these external entities, attackers can gain elevated access that enables them to execute commands within compute instances (VMs) or hybrid environments.