Attackers, including nation-state actors, increasingly leverage legitimate cloud services for espionage operations, exploiting their low-profile and cost-effective nature.
The services, such as Microsoft OneDrive and Google Drive, evade detection by masquerading as trusted entities, thereby enabling covert data exfiltration and tool development.
Researchers discovered a novel Go-based backdoor, GoGra, deployed against a South Asian media organization in November 2023.
Leveraging the Microsoft Graph API for C2, GoGra reads encrypted email commands from a specific Outlook account, decrypts them using AES-256 CBC, and executes them via cmd.exe.
OneDrive Or Google Drive For Cover
Attributed to the nation-state group Harvester, GoGra shares functional similarities with their .NET-based Graphon tool but differs in programming language, encryption key, command set, and C2 configuration.
The Firefly espionage group exfiltrated sensitive data from a Southeast Asian military organization using a custom Python wrapper for a publicly available Google Drive client.
By targeting .jpg files in the System32 directory and using a hardcoded refresh token, the attackers uploaded encrypted RAR archives containing documents, meeting notes, call transcripts, building plans, email folders, and financial data to a Google Drive account.
A new backdoor, Trojan.Grager, was used to target organizations in Asia in April 2024, which utilized the Graph API to connect with a C&C server on Microsoft OneDrive.
The attack employed a typosquatted URL disguised as a legitimate 7-Zip installer (hxxp://7-zip.tw/a/7z2301-x64[.]msi).
This MSI downloaded a Trojanized 7-Zip installer that installed genuine 7-Zip software alongside a malicious DLL (epdevmgr.dll), Tonerjam malware, and the encrypted Grager backdoor (data.dat).
Mandiant identified Tonerjam as a launcher malware that deploys the Grager backdoor, which is linked to the suspected China-nexus espionage group UNC5330, exfiltrates system information, manages files, and executes commands.
It specifically steals OneDrive credentials, while UNC5330 previously exploited Ivanti Connect Secure VPN vulnerabilities to compromise appliances, showcasing their active threat landscape.
Symantec discovered an under-development backdoor named MoonTag, leveraging code from a public Google Group.
The malware communicates via the Graph API and shares characteristics with the 9002 RAT, though direct attribution to Sabre Panda is inconclusive.
Strong indicators point to a Chinese-speaking threat actor based on code language and infrastructure. OneDriveTools is a new backdoor that targets IT service companies.
It uses the Microsoft Graph API to download and run payloads from OneDrive, which creates a unique victim folder, uploads the infection status, and keeps communication going through heartbeat files and command execution in this folder.
Attackers use Whipweave, a tunneling tool based on Free Connect, to connect to an Orbweaver network, which takes advantage of the growing trend of threat actors using cloud-based command and control infrastructure, similar to methods used by other groups that have been successful.
Best practices to improve security include blocking unused cloud services, monitoring network traffic for anomalies, potentially using application whitelisting, restricting cloud service access for non-browser processes, identifying critical assets for data exfiltration monitoring, and enabling host-based and cloud audit logging.
IOC
d728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f – Trojan.Gograf1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214 – Trojan.Gogra9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9 – Trojan.Gragerab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985 – Trojan.Grager97551bd3ff8357831dc2b6d9e152c8968d9ce1cd0090b9683c38ea52c2457824 – Trojan.Gragerf69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274 – Trojan.Ondritols582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede – Trojan.Ondritols79e56dc69ca59b99f7ebf90a863f5351570e3709ead07fe250f31349d43391e6 – Trojan.Ondritols4057534799993a63f41502ec98181db0898d1d82df0d7902424a1899f8f7f9d2 – Trojan.Ondritolsa76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6 – Trojan.Moontag527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14 – Trojan.Moontagfd9fc13dbd39f920c52fbc917d6c9ce0a28e0d049812189f1bb887486caedbeb – Trojan.Moontag30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982 – Whipweavehxxp://7-zip.tw/a/7z2301-x64[.]msi - Trojan.Grager download URLhxxp://7-zip.tw/a/7z2301[.]msi - Trojan.Grager download URL7-zip[.]tw – 7-Zip typosquatted domain103.255.178[.]200 – MoonTag C&C157.245.159[.]135 – Whipweave C&C89.42.178[.]13 – Whipweave C&C30sof.onedumb[.]com – Whipweave C&C
**How to Build a Security Framework With Limited Resources IT Security Team** ( **PDF** ) - **[Free Guide](https://go.cynet.com/security-framework-guide?utm_source=cyber_security_news&utm_medium=social&utm_campaign=Q3-sponsored-content)**
