Cybercriminals are increasingly turning to Microsoft Graph API as a tool for conducting malicious activities while evading detection. According to the report, threat actors are leveraging Microsoft Graph API to establish communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.
Since January 2022, several nation-state-aligned hacking groups, including APT28, REF2924, Red Stinger, Flea, APT29, and OilRig, have been observed using Microsoft Graph API for C&C purposes.
This trend marks a significant shift in tactics, with the first known instance of Microsoft Graph API abuse dating back to June 2021 in connection with the Harvester activity cluster, which utilized a custom implant called Graphon.
The researcher recently detected the use of this technique against an organization in Ukraine, involving the deployment of a previously undocumented malware called BirdyClient (aka OneDriveBirdyClient).
This malware utilizes a DLL file named “vxdiff.dll,” which masquerades as a legitimate DLL associated with the Apoint application. The DLL connects to the Microsoft Graph API and uses OneDrive as a C&C server to upload and download files.
The distribution method of the DLL file and whether it involves DLL side-loading remain unknown. Similarly, the identity of the threat actors and their ultimate goals are unclear.
The researcher highlighted that attacker communications with C&C servers often raise red flags in targeted organizations. The popularity of the Graph API among attackers may stem from the belief that traffic to well-known entities like OneDrive is less likely to arouse suspicion.
To safeguard against attacks using Microsoft Graph API, ensure your systems are up to date with the latest security patches. Use multi-factor authentication (MFA) to add an extra layer of security to your accounts. Regularly monitor your network for suspicious activity and implement strong security policies. Educate your employees about the importance of cybersecurity hygiene to mitigate the risk of falling victim to these attacks.