Threat Actors Use Microsoft OneDrive for Command-and-Control in Attack Campaign

Signs hint at Russia's APT28, aka Fancy Bear, being behind the attacks, according to new research.

4 Min Read
Microsoft OneDrive icon
Source: dennizn via Shutterstock

In what's believed to be the first known use of the tactic, an advanced persistent threat actor is leveraging Microsoft OneDrive services for command-and-control (C2) purposes in a sophisticated cyberespionage campaign aimed at high-ranking government and defense industry officials of a West Asian nation.

Researchers from Trellix who have been tracking the campaign have attributed it with a low to moderate degree of confidence to APT28, aka Fancy Bear, a threat actor that the US government previously has linked to Russia's military intelligence service. Trellix's analysis of data related to the campaign shows that the threat actors also have their sights on defense and government entities in Poland and other Eastern European nations.

The infection chain for the multistage, likely APT28 campaign that Trellix observed began like many other APT campaigns — with the execution of a malicious Excel file likely sent to the target via a phishing email. The file contained an exploit for CVE-2021-40444, a critical remote code execution vulnerability in MSHTML or "Trident," Microsoft's proprietary browser engine. The vulnerability was a zero-day flaw — meaning no patch was available for it — when Microsoft disclosed it last September amid reports of active exploit activity.

The threat actor's exploit for the MSHTML flaw resulted in a malicious dynamic link library (DLL) file executing in the compromised system's memory and downloading a third-stage malware component that Trellix has dubbed "Graphite." The security vendor's analysis of Graphite showed it to be using Microsoft OneDrive accounts as a C2 server via the Microsoft Graph API — a Web application programming interface for accessing Microsoft Cloud services. 

Trellix found the Graphite malware itself was a DLL executable based on the Empire open source, post-exploitation remote administration framework and designed to run entirely in memory and never written to disk. The malware was part of a multistage infection chain that finally resulted in an Empire agent being downloaded on the comprised system and being used to control it remotely.

Christiaan Beek, lead scientist at Trellix, says the threat actor's new C2 mechanism using a cloud service was an interesting move and something the company's researchers have not observed before. "Using Microsoft OneDrive as a command-and-control server mechanism was a surprise, a novel way of quickly interacting with the infected machines," he says. 

The tactic allowed attackers to drag encrypted commands into the victim’s folders. OneDrive would then sync with the victim’s machines and the encrypted commands would be executed, after which any requested information would be encrypted and sent back to the OneDrive of the attacker, Beek says.

Ties to Russia's APT28
The multistage attack and the way it was executed was designed to make it hard for defenders to spot what was going on. Even so, organizations with properly configured detection systems should be able to spot malicious activity. "Although all kinds of living-off-the-land techniques are being used to stay below the radar, attackers need to communicate with systems internally and execute commands that should trigger properly configured XDR technology," Beek says.

Lure documents and other telemetry associated with the APT28 campaign showed the attacker was interested in government and military targets. One document for instance was named "parliament_rew.xlsx" and appears to have been aimed at employees working for the government of the targeted country. Another had a name and contained text pertaining to military budgets for 2022 and 2023.

Trellix's researchers were able to identify two host computers that were used in APT28's attacks. One of the hosts had an IP address that resolved to Serbia while the other appeared to be based in Sweden. Trellix found the C2 server with the Serbian IP address was used to host the exploit for the MSHTML vulnerability and installation data for the second-stage DLL. The server in Sweden, meanwhile, served as a host for the Empire server framework for remotely controlling agents installed in compromised systems. 

Trellix's analysis shows that preparations for the attack began in July 2021 and the attacks themselves happened between September and November 2021. The timing of the campaign coincided with a period of political tensions around the Armenian and Azerbaijani border, which means the attacks were likely geopolitically motivated, Trellix said. The security vendor said it has informed victims of the attacks and provided information to them on how to remove all known attack components from their network.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights