Nation-state threat actors, like UNC5330, are using cloud services such as Microsoft OneDrive, Microsoft Mail, and Google Drive to conduct their operations. These services provide a cost-effective means of operation while concealing the attackers’ identities.
Researchers identified three campaigns that used Microsoft’s and Google’s cloud services as part of their attack strategies. These attacks are also part of a broader trend in which attackers increasingly adopt cloud-based infrastructure for command-and-control (C2), allowing them to blend with legitimate traffic and reduce the likelihood of being flagged by security systems.
In one such campaign analysis, researchers discovered a new backdoor, GoGra (Trojan.GoGra), deployed against a media organisation in South Asia in November 2023. The backdoor is written in the Go programming language and exploits the Microsoft Graph API, a tool for accessing resources hosted on Microsoft’s cloud services.
The backdoor communicates with a C2 server hosted on Microsoft Mail services, utilising OAuth tokens for authentication.
GoGra’s modus operandi involves reading specific Outlook messages, decrypting their content using AES-256 encryption, and executing commands via the cmd.exe input stream. The backdoor then encrypts the output and sends it back to the attacker, making it an effective tool for espionage activities.
Researchers believe that GoGra was developed by the Harvester group, a nation-state-backed actor previously identified in 2021. This group has a history of targeting organisations in South Asia. GoGra shares several characteristics with a known Harvester tool called Graphon, albeit with notable differences in programming language and command structure.
“GoGra is functionally similar to a known Harvester tool called Graphon, written in .NET,” explained researchers. “Aside from the different programming languages used, Graphon used a different AES key (juBvYU7}33Xq}ghO), did not contain the extra “cd” command, and did not have a hardcoded Outlook username to communicate with. The username was instead received from the C&C server.”
In another alarming case, the Firefly espionage group deployed a novel exfiltration tool against a military organisation in Southeast Asia. This tool, a Python-wrapped Google Drive client, was configured to search for .jpg files in the System32 directory and upload them to Google Drive using a hardcoded refresh token.
However, as researchers found out, many of the exfiltrated files were not traditional image files but encrypted RAR archives containing sensitive documents, meeting notes, and other critical data.
Another significant finding is the deployment of a new backdoor named Grager (Trojan.Grager) against organisations in Taiwan, Hong Kong, and Vietnam. Disguised as a legitimate 7-Zip installer, Grager uses the Microsoft Graph API to communicate with a C2 server hosted on Microsoft OneDrive.
Researchers observed that the Grager backdoor was distributed via a typo-squatted URL mimicking the popular 7-Zip software. Once installed, it executes commands to retrieve machine information, download or upload files, and gather file system details.
Cybersecurity experts have tentatively linked this attack to a group known as UNC5330, which is associated with Chinese espionage activities. The group has a history of exploiting VPN vulnerabilities to access sensitive systems.
Researchers uncovered additional tools, such as MoonTag, which is still nascent. Preliminary analysis suggests that MoonTag may also be associated with a Chinese-speaking threat actor, but the lack of complete samples has made definitive attribution challenging.
Another backdoor, Onedrivetools, has been observed targeting IT services in the United States and Europe. This multi-stage malware communicates with a OneDrive C2 server, signalling new infections and executing commands from files hosted on the cloud service.
“Although leveraging cloud services for command and control is not a new technique, more and more attackers have started to use it recently,” cautioned researchers.
Cybersecurity experts have advised users and organisations to block non-common cloud services, monitor and profile network traffic, apply application whitelisting, and activate host-based and cloud-based audit logs.
In the News: Windows flaw allows attackers to downgrade OS to vulnerable version