Threat Research

Graph: Growing number of threats leveraging Microsoft API

Securonix

Threat actors are increasingly using the Microsoft Graph API to establish command-and-control channels via Microsoft OneDrive. The report traces a lineage of campaigns—from BirdyClient in Ukraine to Vedalia, Harvester, Graphite, SiestaGraph, Graphican, and GraphStrike—demonstrating a growing trend of cloud-based C2 infrastructure. hashtags: #BirdyClient #APT28

Keypoints

  • The Microsoft Graph API is being exploited to enable C2 communications through OneDrive and other Microsoft cloud services.
  • The BirdyClient malware in Ukraine uses Graph API to upload/download data via OneDrive, with a file named vxdiff.dll linked to Apoint driver software.
    • Graphite campaigns began with a spear-phishing Excel downloader delivering a remote code execution exploit (CVE-2021-40444), then installed Graphite and PowerShell Empire.
    • SiestaGraph ( ASEAN target) and Graphican (Flea/APT15/Nickel) demonstrate ongoing adoption of Graph API for C2 across multiple regions and groups.
    • Attackers view Graph API traffic as inconspicuous and inexpensive infrastructure, likely to see increasing adoption as awareness grows.

MITRE Techniques

  • [T1567.002] Exfiltration to Cloud Storage – Malware uses the Graph API and OneDrive as a C&C mechanism to upload and download files from it. “The main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it.”
  • [T1566.001] Phishing: Spearphishing Attachment – Campaigns began with spear-phishing emails that delivered an Excel downloader containing a remote code execution exploit (CVE-2021-40444). “Attacks began with spear-phishing emails that delivered an Excel downloader containing a remote code execution exploit (CVE-2021-40444).”
  • [T1059.001] PowerShell – A second-stage payload was delivered as PowerShell Empire after Graphite. “followed by Graphite and a secondary payload—PowerShell Empire.”
  • [T1036] Masquerading – The malware’s file name vxdiff.dll was the same as a legitimate DLL associated with an application called Apoint (apoint.exe). “Its file name—vxdiff.dll—was the same as a legitimate DLL associated with an application called Apoint (apoint.exe), which is driver software for Alps pointing devices…”
  • [T1574.002] DLL Side-Loading – There is uncertainty whether the malware was being sideloaded by Apoint. “Whether the malware was simply masquerading as a legitimate file or whether it was being sideloaded by Apoint remains unknown.”

Indicators of Compromise

  • [File Hash] BirdyClient – afeaf8bd61f70fc51fbde7aa63f5d8ad96964f40b7d7fce1012a0b842c83273e
  • [File Hash] Bluelight – 5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6
  • [File Hash] Graphon – 470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3
  • [File Hash] Graphite – f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231
  • [File Hash] Graphican – 4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5
  • [File Hash] Graphican – a78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8
  • [File Hash] Graphican – 02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5
  • [File Hash] SiestaGraph – 1a87e1b41341ad042711faa0c601e7b238a47fa647c325f66b1c8c7b313c8bdf
  • [File Hash] SiestaGraph – fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb
  • [File Hash] SiestaGraph – 7fc54a287c08cde70fe860f7c65ff71ade24dfeedafdfea62a8a6ee57cc91950
  • [File Name] vxdiff.dll – associated with Apoint (apoint.exe)
  • [File Name] apoint.exe – driver software for Alps pointing devices

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats