Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government
Nation-State Hackers Tap Into Google Drive, OneDrive in Asia
Cyberespionage Groups Hosting Malware Infrastructure in Public Cloud SitesCybersecurity company Symantec says it uncovered three cyberespionage campaigns that used legitimate cloud services, including Microsoft OneDrive and Google Drive, to host their malware infrastructure and carry out attacks. All three espionage operations targeted victims in East and Southeast Asia.
See Also: VMware Carbon Black App Control
Symantec said it uncovered three separate cyberespionage campaigns. One campaign involved malicious actors deploying a previously-unseen backdoor malware written in the Go language that uses the Microsoft Graph API to interact with a command-and-control server hosted on Microsoft mail services.
The backdoor, dubbed GoGra by the cybersecurity company, reads messages from an Outlook username "FLU LNU," decrypts the message contents using the AES-256 algorithm, executes commands, encrypts the output and sends it back to the Outlook user. Symantec said the backdoor was possibly deployed by a nation-state hacker group, which it tracks as Harvester, that specifically targets organizations in South Asia.
The Symantec report follows research by software company Enea that found malicious actors using cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2 and IBM Cloud Object Storage to redirect victims to malicious websites to steal their information.
Symantec also uncovered cyberespionage activity by the FireFly espionage group, believed to be based in China and tracked as Naikon APT by Bitdefender, deployed a previously unseen data exfiltration tool against a military organization in Southeast Asia.
Attackers hosted the exfiltration tool on a publicly available Google Drive client in a Python wrapper and configured to search for .jpg images in the System32 directory in infected systems. The tool ultimately collected documents, meeting notes, call transcripts, building plans, email folders and accounting data and encrypted them before uploading them to Google Drive as RAR files.
The third cyberespionage campaign used a backdoor named Trojan.Grager, which used Graph API to communicate with an attacker-controlled command-and-control server hosted on Microsoft OneDrive.
The attackers, possibly associated with Chinese espionage group UNC5330, used a fake URL for the open-source file archiver 7-Zip to download the Tonerjam malware, which decrypted and executed Trojan.Grager. The backdoor retrieves system information from the host device, executes malicious commands and gathers file system information such as the names of available drives and their size. Symantec said the espionage activity targeted three organizations in Taiwan, Hong Kong and Vietnam in April 2024.
Cybercriminals also used Microsoft OneDrive to host a multi-stage backdoor that authenticates itself using Graph API during the infection stage to evade detection. The campaign, directed against IT services companies in the U.S. and Europe, involved attackers using a variant of the open-source Chinese VPN Free Connect project to connect to an Operational Relay Box network named Orbweaver to obfuscate the origin of the attacks.