Threat Research

“Unmasking VEILDrive: Threat Actors Exploit Microsoft Services for Command and Control”

admin

Summary:

Hunters’ Team AXON has identified an ongoing threat campaign named “VEILDrive,” which exploits Microsoft SaaS services like Teams, SharePoint, Quick Assist, and OneDrive for malicious activities. The campaign utilizes a unique OneDrive-based Command & Control method embedded in Java malware. The investigation suggests a probable Russian origin, and findings have been reported to Microsoft and affected organizations.

Keypoints:

  • VEILDrive is an ongoing threat campaign identified by Hunters’ Team AXON.
  • The campaign exploits Microsoft SaaS services, including Teams, SharePoint, Quick Assist, and OneDrive.
  • A unique OneDrive-based Command & Control (C&C) method is utilized in the malware.
  • The malware is a Java-based .jar file that is readable and lacks obfuscation.
  • The campaign is believed to originate from Russia.
  • AXON reported findings to Microsoft and reached out to affected organizations.
  • The attack techniques diverge from typical threat behavior, complicating detection.
  • Malware evaded detection by top-tier EDR tools and VirusTotal security engines.

MITRE Techniques

  • Command and Control (T1071): Utilizes OneDrive as a Command & Control channel to maintain communication with compromised systems.
  • Initial Access (T1566): Employs spear-phishing through Microsoft Teams to lure victims into executing malware.
  • Execution (T1059): Executes commands via PowerShell using the Java malware.
  • Persistence (T1053): Creates scheduled tasks to maintain persistence on compromised systems.
  • Credential Access (T1003): Uses hard-coded credentials for authentication to Entra ID for accessing OneDrive.

IoC:

  • [Domain] SafeShift390[.]onmicrosoft[.]com
  • [Domain] GreenGuard036[.]onmicrosoft[.]com
  • [File Name] ROMServer.exe
  • [File Hash] a515634efa79685970e0930332233aee74ec95aed94271e674445712549dd254
  • [File Name] HookDrv.dll
  • [File Hash] 1040aede16d944be8831518c68edb14ccbf255feae3ea200c9401186f62d2cc4
  • [File Name] ROMFUSClient.exe
  • [File Hash] 7f61ff9dc6bea9dee11edfbc641550015270b2e8230b6196e3e9e354ff39da0e
  • [File Name] AledensoftIpcServer.dll
  • [File Hash] d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
  • [File Name] ROMwln.dll
  • [File Hash] 7f33398b98e225f56cd287060beff6773abb92404afc21436b0a20124919fe05
  • [IP Address] 40.90.196[.]221
  • [IP Address] 40.90.196[.]228
  • [IP Address] 38.180.136[.]85
  • [IP Address] 213.87.86[.]192

Full Research: https://www.hunters.security/en/blog/veildrive-microsoft-services-malware-c2

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint