State-sponsored hackers are increasingly using legitimate cloud services to orchestrate their malicious practices. The reasons? They don’t need their own infrastructure, all data traffic is encrypted by default and goes to and from legitimate domains. Also, it allows hackers to poke around on other people’s networks more easily while remaining unseen.
Symantec made this observation, dedicating a session to it at the Black Hat Conference in Las Vegas. Hackers like to create free accounts for cloud services such as Google Drive or Microsoft OneDrive. From there, they subsequently manage their command-and-control center.
Symantec gave several examples, including a backdoor called Onedrivetools, which has been deployed against companies in the U.S. and Europe. It uses Microsoft’s Graph API for authentication (normally intended to access a range of Microsoft services via the cloud) and then downloads and executes a payload in OneDrive. That payload is publicly available on GitHub.
OneDrive as an archive for stolen data
For the hackers, the malware creates a folder in their own OneDrive for each newly infected computer. Also, it forwards a file to this C&C centre each time a new infection occurs, letting the hackers know they caught another fish in their nets. They can then easily exfiltrate files from their victims via OneDrive, which is also used to spread malware further.
Symantec suspects that China is behind these attacks. In these cases, the hackers used a tunnelling tool called Whipweave, which the experts at Symantec believe builds on the China-made Free Connect-VPN.
Also attacks on organizations in Asia
In other attacks, hackers used a backdoor called Grager against organizations in Taiwan, Hong Kong and Vietnam. This one also took advantage of Microsoft’s Graph API and sent users searching for the 7-Zip compression software to a rogue domain through the search engine they used.
There, victims could indeed download 7-zip, but as a trojan: they unwittingly brought in unwanted guests, including the Grager backdoor. In their analysis, the researchers seem somewhat impressed by this audacious and sneaky way of infecting victim’s systems.
Symantec has published a research paper about these and similar cases. They report that the Grager backdoor may be in use by the group UNC5330, which they suspect has ties to the Chinese government.
Also read: VMware integrates with Symantec as Broadcom acquisition nears