Attackers have been increasingly leveraging Microsoft OneDrive and Google Drive to craft sophisticated cyber-attacks. These cloud-based services are popular among nation-state actors for being low profile and cost effective. Since OneDrive and Google Drive are established as trusted entities, they can easily evade detection.
Researchers have discovered a novel Go based backdoor GoGra deployed against a South Asian media organisation in November 2023. GoGra is a backdoor malware written in Go and uses the Microsoft Graph API to communicate with a command-and-control server on Microsoft’s mail services. Using this backdoor, threat actors can use legitimate services to avoid detection. Leveraging the Microsoft Graph API for C2, GoGra reads encrypted email commands from a specific Outlook account, decrypts them using AES-256 CBC, and executes them via cmd.exe.
An espionage group named Firefly had exfiltrated sensitive data from a Southeast Asian military organisation using a custom Python wrapper for a publicly available Google Drive client. In April 2024, organisations in Asia were targeted by a new backdoor, Trojan.Grager, which utilised the Graph API to connect with a C&C server on Microsoft OneDrive. Such attacks are possible with the help of typo squatting which is the practice of criminals registering domain names that are slight variations of popular websites, often with common typos.
Symantec discovered an under-development backdoor named MoonTag, leveraging code from a public Google Group. OneDrive Tools is a new backdoor that targets IT service companies. Attackers use Whipweave, a tunnelling tool based on Free Connect, to connect to an Orbweaver network, which takes advantage of the growing trend of threat actors using cloud-based command and control infrastructure. Festive season is a particularly easy time for attackers to launch attacks by masquerading as festive offers taking advantage of users’ excitement during this period.
The way forward
Best practices to improve security against such types of attacks include:
- Blocking unused cloud services
- Monitoring network traffic
- Restricting cloud service access for non-browser processes
- Enabling host-based and cloud audit logging
Logix’s CheckPoint Harmony, an AI, and ML-based email security offers a more proactive and dynamic AI-based approach to threat detection and prevention, and helps organisations stay ahead of cyber threats in an increasingly complex threat landscape.