Back

Cloud Cover: How Malicious Actors Are Leveraging Cloud Services

Aug. 7, 2024, 11:37 a.m.

Tags

espionage
cloud
graphite
graphon
birdyclient
2024-08-07
gogra
grager
moontag

External References

https://symantec-enterprise-blogs.security.com/

https://otx.alienvault.com/

Description

In recent times, there has been a notable rise in the exploitation of legitimate cloud services by threat actors, including nation-state groups. Attackers have realized the potential of these services to provide low-cost infrastructure, evading detection as communication to trusted platforms may not raise suspicion. Over the past few weeks, Symantec's Threat Hunter Team uncovered three espionage operations utilizing cloud services and discovered evidence of additional tools under development.

Date

Published Created Modified
Aug. 7, 2024, 11:18 a.m. Aug. 7, 2024, 11:18 a.m. Aug. 7, 2024, 11:37 a.m.

Indicators

f69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274

fd9fc13dbd39f920c52fbc917d6c9ce0a28e0d049812189f1bb887486caedbeb

f1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214

d728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f

ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985

a76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6

9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9

97551bd3ff8357831dc2b6d9e152c8968d9ce1cd0090b9683c38ea52c2457824

79e56dc69ca59b99f7ebf90a863f5351570e3709ead07fe250f31349d43391e6

582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede

527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14

45a5dd715dc5f08f3b987a0415c2e500c549508aadf4183fdb94f749af8f1d67

4057534799993a63f41502ec98181db0898d1d82df0d7902424a1899f8f7f9d2

89.42.178.13

157.245.159.135

103.255.178.200

http://7-zip.tw/a/7z2301.msi

http://7-zip.tw/a/7z2301-x64.msi

Attack Patterns

Backdoor.Graphican

OneDriveTools

Grager

MoonTag

GoGra

BirdyClient

Graphon

Graphite

Harvester

T1585

T1608.002

T1567.002

T1608.001

T1059

CVE-2024-21893

CVE-2024-21887

Additional Informations

Virgin Islands, U.S.

Hong Kong

Taiwan

Ukraine