State-sponsored hackers are increasingly using legitimate cloud services to orchestrate their malicious practices. The reasons? They don’t need their own infrastructure, all traffic is encrypted by default and goes to and from legitimate domains. It also makes it easier for hackers to snoop around other people’s networks without being seen.
Symantec made this observation and dedicated a session to it at the Black Hat conference in Las Vegas. HAcker likes to create free accounts for cloud services like Google Drive or Microsoft OneDrive. From there they then manage their command and control center.
Symantec cited several examples, including a backdoor called Onedrivetools that has been used against organizations in the US and Europe. It uses Microsoft’s Graph API for authentication (normally intended for accessing a range of Microsoft services via the cloud) and then downloads and executes a payload in OneDrive. This payload is publicly available on GitHub.
OneDrive as an archive for stolen data
For the hackers, the malware creates a folder in its own OneDrive for each newly infected computer. It also forwards a file to this C&C center with each new infection, so the hackers know they have caught another fish in their nets. They can then easily extract files from their victims via OneDrive, which is also used to further distribute malware.
Symantec suspects that China is behind these attacks. The hackers used a tunneling tool called Whipweave, which Symantec experts believe is based on the Free Connect VPN developed in China.
Attacks on organizations in Asia
In other attacks, hackers used a backdoor called Grager against organizations in Taiwan, Hong Kong and Vietnam. This attack also used Microsoft’s Graph API and redirected users searching for the 7-Zip compression software to a fraudulent domain via the search engine they used.
There, the victims could download 7-zip, but as a Trojan: They inadvertently brought along unwanted guests, including the Grager backdoor. In their analysis, the researchers seem to be somewhat impressed by this brazen and insidious way of infecting the victims’ systems.
Symantec has published a research paper on these and similar casesThey report that the Grager backdoor may be used by the UNC5330 group, which they suspect has ties to the Chinese government.
Also read: VMware integrates Symantec as Broadcom acquisition looms
