Threat Research

Cloud Cover: Exploiting Cloud Services for Malicious Purposes

Symantec

Threat actors are increasingly abusing legitimate cloud services like Microsoft OneDrive and Google Drive to conduct espionage, C2, and data exfiltration, using cloud APIs to blend into normal traffic. The report highlights GoGra, Grager, MoonTag, Onedrivetools, and Firefly as examples of this trend and outlines recommended protections.
#GoGra #Grager

Keypoints

  • Threat actors increasingly use legitimate cloud services (OneDrive, Google Drive) for attacks and command-and-control communications.
  • Symantec Threat Hunter identified multiple espionage operations leveraging cloud services for data exfiltration and C2.
  • GoGra (Trojan.Gogra) uses Microsoft Graph API for C2, decrypts Outlook messages, and is linked to the Harvester group; it reads messages with subject “Input” and sends output with subject “Output”.
  • Google Drive exfiltration tool by Firefly searches for .jpg files in System32, uploads to Google Drive with a hardcoded refresh token, and often exfiltrates encrypted RAR files containing sensitive data.
  • Grager (Trojan.Grager) uses Graph API to talk to a OneDrive-based C2; dropped via a typosquatted 7-Zip MSI and includes a malicious DLL and data.dat.
  • Onedrivetools (Trojan.Ondritols) is a multi-stage backdoor that authenticates to Graph API, downloads stages from OneDrive, and signals status via OneDrive; it also uses Whipweave to obscure origins.
  • MoonTag (Trojan.Moontag) is under development with Graph API communication and possible links to a Chinese-speaking threat actor; BirdyClient (May 2024) demonstrates rapid ongoing adoption of cloud-based C2.
  • Overall trend shows multiple actors mimicking techniques from others, indicating rapid evolution and diffusion of cloud-based attack methods.

MITRE Techniques

  • [T1585.003] Establish Accounts: Cloud Accounts – Adversaries may create accounts with cloud providers for targeting operations. “Adversaries may create accounts with cloud providers for targeting operations.”
  • [T1608.001] Stage Capabilities: Upload Malware – Adversaries may upload malware to third-party infrastructure for accessibility during targeting. “Adversaries may upload malware to third-party infrastructure for accessibility during targeting.”
  • [T1608.002] Stage Capabilities: Upload Tool – Adversaries may upload tools to adversary-controlled infrastructure for operational support. “Adversaries may upload tools to adversary-controlled infrastructure for operational support.”
  • [T1059.009] Command and Scripting Interpreter: Cloud API – Adversaries may abuse cloud APIs to execute malicious commands. “Adversaries may abuse cloud APIs to execute malicious commands.”
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Adversaries may exfiltrate data to cloud storage services instead of primary C2 channels. “Adversaries may exfiltrate data to cloud storage services instead of primary C&C channels.”

Indicators of Compromise

  • [SHA256] Trojan.Gogra – d728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f, f1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214 (context: GoGra backdoor samples)
  • [SHA256] Trojan.Grager – 9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9, ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985 (context: Grager backdoor samples)
  • [SHA256] Trojan.Ondritols – f69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274, 582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede (context: Onedrivetols backdoor)
  • [SHA256] Trojan.Moontag – a76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6, 527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14 (context: MoonTag backdoor)
  • [SHA256] Whipweave – 30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982 (context: Whipweave tunneling tool)
  • [URL] hxxp://7-zip.tw/a/7z2301-x64[.]msi, hxxp://7-zip.tw/a/7z2301[.]msi – Trojan.Grager download URLs (context: typosquatted dropper)
  • [Domain] 7-zip[.]tw – Typosquatted domain used in Grager dropper (context: dropper distribution)
  • [IP] 103.255.178[.]200 – MoonTag C&C (context: command-and-control IP)
  • [IP] 157.245.159[.]135 – Whipweave C&C (context: command-and-control IP)
  • [IP] 89.42.178[.]13 – Whipweave C&C (context: command-and-control IP)
  • [Domain] 30sof.onedumb[.]com – Whipweave C&C domain (context: command-and-control domain)

Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/cloud-espionage-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint