APT groups increasingly attacking cloud services to gain command and control

An increasing number of advanced persistent threat (APT) groups are leveraging cloud-based storage services offered by Microsoft and Google for command and control (C2) and data exfiltration, according to research by Symantec.

While the abuse of free cloud services by cybercriminals is not uncommon, new evidence suggests that nation-state cyberespionage actors are increasingly jumping on this trend.

“In the past few weeks alone, Symantec’s Threat Hunter Team has identified three further espionage operations using cloud services and found evidence of further tools in development,” researchers from Broadcom’s Symantec division said in a blog post. Their findings will also be presented today in a talk at the Black Hat USA security conference.

Abusing free cloud services has obvious benefits for attackers. They’re a quick and low-cost solution, but more importantly, they offer stealthier communication inside networks. It’s very unlikely that security products or firewalls will ever flag connections to widely used services such as Microsoft OneDrive or Google Drive as suspicious compared to an IP address in China, for example.

[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]

The technique has drawbacks for an attacker

But this practice can also have significant downsides. For one, the cloud account used for malicious purposes will be suspended as soon as it’s identified and reported to the service provider by security researchers, potentially disrupting the operation.

By comparison, if researchers discover a private C2 server all they can do is share its IP address so it can be blocked by security products and security teams, but that takes time and not all victims will necessarily be protected.

A cloud account can also provide researchers with a wealth of additional information about the operation if the service provider cooperates and shares activity logs from the account and all files stored inside. This can compromise operational security for the attackers, which is an important aspect, especially for nation-state cyber espionage actors.

However, there are ways to mitigate these shortcomings. For example, attackers could hardcode backup C2 channels into their malware that will be used if the primary one based on cloud services suddenly stops working. They can also use encryption to hide their activities and the exfiltrated files from investigators who gain access to the rogue cloud service account. Such countermeasures are fairly common, making the abuse of cloud services by APTs much more viable.

New malware implants are abusing cloud services

One of the fairly new threats taking advantage of Microsoft services for C2 is a backdoor program called GoGra written in the Go programming language which was deployed against a media organization in South Asia in November last year. According to the Symantec team, the backdoor might be an evolution or reimplementation of another backdoor known as Graphon that’s written in .NET and is attributed to a nation-state-backed group that Symantec calls Harvester that has been targeting organizations from South Asia since 2021.

GoGra leverages the Microsoft Graph API in order to access the Outlook mail service using OAuth access tokens for a username called FNU LNU. The backdoor accesses the Outlook mailbox and reads instructions from email messages with the word “Input” in the subject line. However, the contents of the messages are encrypted with AES-256 and the malware decrypts them with a hardcoded key.

“GoGra executes commands via the cmd.exe input stream and supports an additional command named cd which changes the active directory,” the Symantec researchers said. “After the execution of a command, it encrypts the output and sends it to the same user with the subject Output.”

A second APT malware implant leveraging the Microsoft Graph API is called Trojan.Grager, which was used against organizations from Taiwan, Hong Kong, and Vietnam in April. The backdoor was distributed through a trojanized installer for the 7-Zip archive manager, and it uses Microsoft OneDrive instead of Outlook for C2 purposes. The backdoor can download, upload, and execute files and gathers system and machine information.

Many threat actors use similar techniques

There are suspected links between Grager and an APT group Google’s Mandiant team tracks as UNC5330 because the same trojanized 7-Zip installer also dropped a backdoor dubbed Tonerjam associated with this group. UNC5330 is described as a “suspected China-nexus espionage actor” and is one of the groups that exploited Ivanti Connect appliances in early 2024.

Another multistage backdoor called Onedrivetools or Trojan.Ondritols also uses Microsoft Graph API to download a second-stage payload from Microsoft OneDrive. This backdoor was used against IT services companies from the US and Europe.

Symantec researchers also discovered a threat called BirdyClient in May that was used against an organization from Ukraine that uses OneDrive as a C2 server through the Graph API.

Another new backdoor dubbed MoonTag that still appears to be in development and was recently uploaded to VirusTotal uses the Microsoft Graph API. The backdoor was likely created by a Chinese threat actor and uses code samples for Graph API communication that were previously shared in a Chinese language Google Group.

Some groups prefer Google Drive over Microsoft’s file storage service. An example is a previously unreported data exfiltration tool that was used against a military target from Southeast Asia by a cyberespionage group tracked as Firefly. This tool was written in Python and searched the local computer for jpg image files then uploaded them to a Google Drive account using an open-source Google Drive client and a hardcoded token.

Other cyber espionage actors occasionally used free cloud file storage services for C2 in the past, including North Korea’s APT37 (Vedalia) in 2021, Russia’s APT28 (Fancy Bear) in 2022 and China’s APT15 (Nickel) in 2023. However, the number of APT threats adopting this technique has definitely increased over the past year according to Symantec’s observations.

“The number of actors now deploying threats that leverage cloud services suggests that espionage actors are clearly studying threats created by other groups and mimicking what they perceive to be successful techniques,” the researchers said.

[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]