Hackers are using Microsoft OneDrive in a multi-stage espionage campaign aimed at high-ranking government officials in Western Asia, according to a new report from Trellix.
Researchers with Trellix named the malware involved “Graphite” because it uses Microsoft’s Graph API to leverage OneDrive as a command and control server. The attack takes advantage of a MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory, according to Trellix.
“As seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims’ systems since it will only connect to legitimate Microsoft domains and won’t show any suspicious network traffic,” Trellix explained.
Christiaan Beek, lead scientist at Trellix Threat Labs, told ZDNet that he was surprised to see Microsoft OneDrive used as a Command and Control Server mechanism, noting that it was “a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim’s folders.”
“Next OneDrive would sync with the victim’s machines and encrypted commands being executed, whereafter the