Back

Hackers Leveraging OneDrive Or Google Drive To Hide Malicious Traffic

Aug. 7, 2024, 4:37 p.m.

Tags

backdoor
espionage
exfiltration
cloud
2024-08-07
gogra
moontag
api
trojan.grager
onedrivetools
whipweave

External References

https://cybersecuritynews.com/

https://otx.alienvault.com/

Description

Cyber threat actors, including nation-state groups, are utilizing legitimate cloud services like Microsoft OneDrive and Google Drive for covert operations. These services evade detection by masquerading as trusted entities, enabling data exfiltration and tool deployment. A new Go-based backdoor, GoGra, employed the Microsoft Graph API for command and control against a South Asian media organization. The Firefly group used a custom Python wrapper for a Google Drive client to exfiltrate sensitive data from a Southeast Asian military. Other malware families like Trojan.Grager, MoonTag, and OneDriveTools also leveraged cloud services for command and control infrastructure.

Date

Published Created Modified
Aug. 7, 2024, 4:11 p.m. Aug. 7, 2024, 4:11 p.m. Aug. 7, 2024, 4:37 p.m.

Indicators

30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982

f69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274

fd9fc13dbd39f920c52fbc917d6c9ce0a28e0d049812189f1bb887486caedbeb

f1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214

d728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f

ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985

a76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6

9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9

97551bd3ff8357831dc2b6d9e152c8968d9ce1cd0090b9683c38ea52c2457824

79e56dc69ca59b99f7ebf90a863f5351570e3709ead07fe250f31349d43391e6

582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede

527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14

4057534799993a63f41502ec98181db0898d1d82df0d7902424a1899f8f7f9d2

89.42.178.13

157.245.159.135

103.255.178.200

http://7-zip.tw/a/7z2301.msi

http://7-zip.tw/a/7z2301-x64.msi

Attack Patterns

Whipweave

Trojan.Grager

OneDriveTools

MoonTag

GoGra

Harvester, Firefly, UNC5330

T1567.002

T1135

T1071.003

T1059.005

T1059.001

T1059.007

T1056.001

T1105

T1219

T1041