Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Over the last couple of years, Threat actors have been weaponizing Microsoft Graph API more frequently for malicious activity in an attempt to evade detection more effectively. Bad actors utilize this tool to facilitate their C2 communications on legitimate Microsoft cloud services. Beginning in January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C including APT28, REF2924, Red Stinger, Flea, APT29, and OilRig. The first known instance of malicious Microsoft Graph API activity appeared in June 2021, 6 months before it became widely adopted as a method of C2 communication and this activity cluster was dubbed Harvester. Symantec has detected the same C2 communication technique against a Ukrainian organization that helps the threat actor deliver malware known as BirdyClient. The DDL file is designed to connect to Microsoft Graph API and use OneDrive as the attacker’s C2 server to upload and download files. The Graph API's popularity among attackers is likely because network traffic through legitimate cloud services is more unlikely to raise suspicions and services like OneDrive are free and a secure source of infrastructure. By compromising external services and third-party vendors, attackers can leverage a trusted relationship to gain privileged access that allows them to execute remote commands.

Security Officer Comments:
Notably, This is the first documentation of BirdyClient being deployed in the wild. Symantec was unable to deduce the exact deployment method of the DLL file. It is likely to be DLL sideloading because the attacker already attempts to evade detection by weaponizing a legitimate application like Microsoft Graph API. According to MITRE ATT&CK (T1574/002, MITRE), “Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.” Therefore, it is logical to assume this threat actor would continue to attempt to obfuscate the remainder of the attack chain.

Suggested Corrections:
The Threat Hunter Team at Symantec has published IOCs for Microsoft Graph API abuse activity in their blog post. They have also published a threat bulletin for this activity with the latest protection updates.