Threat actors have been increasingly weaponizing Microsoft Graph API for malevolent purposes with the objective of evading discovery.
This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of Broadcom, wrote in a report shared with The Hacker News.
Since January 2022, various nation-state-aligned hacking groups have been seen exploiting Microsoft Graph API for C&C. This contains threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig.
The first known incidence of Microsoft Graph API exploitation prior to its wider adoption dates back to June 2021 in relation with an activity cluster called Harvester that was detected employing a custom implant known as Graphon that exploited the API to communicate with Microsoft infrastructure.
Symantec claimed it recently observed the use of the same technique against an unnamed firm in Ukraine, which entailed the deployment of a previously unreported piece of malware dubbed BirdyClient (aka OneDriveBirdyClient).
A DLL file with the name "vxdiff.dll," which is the same as a valid DLL connected with an application called Apoint ("apoint.exe"), it's meant to connect to the Microsoft Graph API and utilize OneDrive as a C&C server to upload and retrieve files from it.
The specific distribution strategy of the DLL file, and if it requires DLL side-loading, is yet unknown. There is also no information on who the threat actors are or what their ultimate intentions are.
"Attacker communications with C&C servers can often raise red flags in targeted organizations," Symantec stated. "The Graph API's popularity among attackers may be influenced by the idea that traffic to known entities, such as commonly utilized cloud services, is less likely to raise suspicions.
"In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free."
The finding comes as Permiso detailed how cloud administration commands may be exploited by adversaries with privileged access to execute instructions on virtual machines.
"Most times, attackers leverage trusted relationships to execute commands in connected compute instances (VMs) or hybrid environments by compromising third-party external vendors or contractors who have privileged access to manage internal cloud-based environments," the cloud security firm warned.
"By compromising these external entities, attackers can gain elevated access that allows them to execute commands within compute instances (VMs) or hybrid environments."
