Symantec’s Threat Hunter Team said it uncovered three new espionage operations using cloud services and uncovered evidence of further tools in development. Among these is a previously unseen backdoor named GoGra (Trojan.Gogra), deployed against a media organization in South Asia in November 2023. GoGra, written in Go, interacts with a command-and-control (C&C) server hosted on Microsoft mail services through the Microsoft Graph API.
Microsoft Graph API facilitates access to resources hosted on Microsoft cloud services, such as Microsoft 365, using OAuth access tokens for authentication. Analysis indicates that GoGra was likely developed by Harvester, a nation-state-backed group uncovered by Symantec in 2021 that targets organizations in South Asia. GoGra bears some similarities to a known Harvester tool called Graphon, which was written in .NET.
Additionally, Symantec identified a new exfiltration tool deployed by the Firefly espionage group in an attack against a military organization in Southeast Asia. This tool used a publicly available Google Drive client in a Python wrapper to search for and upload .jpg files from the System32 directory to Google Drive. Many of these files were actually encrypted RAR files containing sensitive data, including documents, meeting notes, call transcripts, building plans, email folders, and accounting data.
In another case, a previously unseen backdoor named Trojan.Grager was deployed against organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Grager uses the Graph API to communicate with a C&C server hosted on Microsoft OneDrive and was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip.
Grager supports various commands, including retrieving machine information, downloading/uploading files, executing files, and gathering file system information. There are possible links between Grager and a a China-linked threat group known as UNC5330.
Symantec also discovered evidence of another developing backdoor called MoonTag (Trojan.Moontag), with several variants uploaded to VirusTotal recently. Additionally, another backdoor named Ondritols (Trojan.Ondritols) has been deployed against IT services companies in the US and Europe. Ondritols is a multi-stage backdoor, with the first stage acting as a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive.
In May 2024, Symantec uncovered BirdyClient, malware that communicates with a OneDrive C&C server via the Graph API. BirdyClient was used in an attack against an organization in Ukraine.
Leveraging cloud services for command and control is not a new technique, but its use has become more prevalent. Three years ago, Volexity reported on BlueLight, malware from the North Korea-linked Vedalia espionage group (APT37).
Symantec discovered the Graphon backdoor in October 2021, and the Russian Swallowtail espionage group, known as APT28 or Fancy Bear, adopted this tactic with Graphite malware. In June 2023, Symantec identified Backdoor.Graphican, used by the Flea group (APT15, Nickel) against foreign affairs ministries in the Americas.