Exploiting Trust: How Cybercriminals Use Microsoft Graph API for Stealthy Command-and-Control Operations

Cybersecurity researchers at the Symantec Threat Hunter Team, part of Broadcom, have noticed a troubling trend where multiple hacking collectives, including APT28, REF2924, Red Stinger, Flea, APT29, and OilRig, are increasingly exploiting Microsoft Graph API for malicious activities. These groups have been using Microsoft’s cloud services, like OneDrive, to host their command-and-control (C2) infrastructure, effectively blending their malicious traffic with legitimate network activities to avoid detection. This technique not only helps them stay under the radar but is also cost-effective since basic accounts for services like OneDrive are free.

The first known abuse of Microsoft Graph API dates back to June 2021, involving a custom implant known as Graphon, which was later adopted by other groups. By June 2022, this method gained significant momentum among nation-state-aligned hacking groups targeting organizations worldwide, including an unnamed organization in Ukraine hit by a novel malware dubbed BirdyClient.

These attacks typically involve deploying malware through DLL files, such as vxdiff.dll (which is the same as a legitimate DLL associated with an application called Apoint “apoint.exe”), designed to connect to Microsoft Graph API and manage data exchanges via OneDrive, enabling attackers to upload and download files discreetly. The exact methods of distributing these malicious DLLs, potentially through DLL side-loading, remain somewhat unclear.

Symantec and other cybersecurity firms emphasize the increasing use of legitimate cloud services by attackers to conduct espionage operations effectively and subtly. The adoption of cloud services for malicious purposes is not just limited to isolated cases but has become a favored approach among cybercriminals and state-sponsored hackers alike. They utilize these trusted platforms because they blend in with legitimate traffic, leveraging the built-in trust and widespread use of these services across corporate environments. This camouflage provides a perfect cover for conducting surveillance and stealing sensitive information without raising suspicion.

Given this context, it becomes imperative for organizations to ramp up their cloud security measures. One of the primary steps includes enhancing the monitoring of cloud platforms. Companies need to implement advanced security tools that can detect anomalous activities and patterns that deviate from normal usage, indicating possible breaches or misuse of the cloud services.

Furthermore, organizations must ensure strict access controls are in place. This involves verifying that all cloud access is limited to officially sanctioned accounts and immediately revoking permissions that are no longer required or that appear suspicious. Such controls help in minimizing the risk of unauthorized access and potential data breaches.

Additionally, enterprises should consider conducting regular audits of their cloud environments to ensure compliance with security policies and to detect potential vulnerabilities that could be exploited by attackers. Training employees on the importance of cloud security and the dangers of unsanctioned cloud usage is also critical in fostering a more secure and aware organizational culture.

Overall, this trend reflects a broader shift in cyber espionage tactics, where attackers capitalize on trusted, widely-used services to carry out their missions, thus complicating the detection and response processes for targeted organizations and cybersecurity defenders alike.