Graph: Growing number of threats leveraging Microsoft API

An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.

The technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes.

BirdyClient

The malware found in Ukraine appeared to be named BirdyClient or OneDriveBirdyClient by its developers because references to both names were found in its code. Its file name—vxdiff.dll—was the same as a legitimate DLL associated with an application called Apoint (apoint.exe), which is driver software for Alps pointing devices, usually found in laptops. Whether the malware was simply masquerading as a legitimate file or whether it was being sideloaded by Apoint remains unknown. 

Analysis of the BirdyClient malware (Trojan.BirdyClient) revealed that its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it. The sample also creates the following log file: 

%AllUsersProfile%/{0134AA2C-03BE-448D-8D28-7FFE94EA3A49}/config/001.temp

To date, no related tools have been found. It remains unclear who the developers of the threat are and what their motivation is. 

What is the Graph API?

Graph is a Microsoft API designed to allow developers to access resources hosted on Microsoft cloud services, such as Microsoft 365. Authentication is carried out using OAuth access tokens. 

Graph can be used to access a wide range of data and services such as email, calendar events, files, or devices. Application developers can potentially use it to pull data from one or more Microsoft services and integrate it into their own solutions.

Pioneering usage

BirdyClient is the latest threat seen leveraging the Graph API. The first known usage was by the North Korea-linked Vedalia espionage group (aka APT37), which developed Bluelight, a second-stage payload that could communicate with several different cloud services for C&C purposes. According to Volexity, which discovered Bluelight, the variant it analyzed used the Graph API to communicate with OneDrive. 

In October 2021, Symantec uncovered the Harvester group, a nation-state-backed espionage operation, targeting organizations in South Asia. Its toolset included a custom backdoor called Backdoor.Graphon that used the Graph API to communicate with Microsoft infrastructure for C&C purposes. 

The technique came to further public attention in January 2022, with the discovery of Graphite—malware that used the Graph API to communicate with a OneDrive account that was acting as a C&C server.

Graphite was deployed in a campaign against several governments in Europe and Asia. Attacks began with spear-phishing emails that delivered an Excel downloader containing a remote code execution exploit (CVE-2021-40444). This led to the installation of a second-stage downloader, followed by Graphite and a secondary payload—PowerShell Empire. 

The campaign was eventually linked to the Russian Swallowtail espionage group (aka APT28, Fancy Bear). 

Wider adoption

Other espionage groups appeared to be quick to learn from early users and began leveraging the Graph API in their toolset. In December 2022, Elastic Security documented an intrusion into the Foreign Affairs Office of an ASEAN member. Among the tools deployed was SiestaGraph, which used the Graph API to interact with both OneDrive and Microsoft 365 Mail for C&C purposes. SiestaGraph appears to be in continuous development. In September 2023, Symantec found a new variant of the malware that contained different command identifiers from those originally documented. 

In June 2023, Symantec discovered Backdoor.Graphican, which was being used by the Flea (aka APT15, Nickel) advanced persistent threat (APT) group in an espionage campaign heavily focused on foreign affairs ministries in the Americas. 

Graphican is an evolution of an older Flea backdoor known as Ketrican, which itself was based on a previous malware—BS2005—that was also used by Flea. Graphican has the same functionality as Ketrican, but its new features included the use of the Microsoft Graph API and OneDrive to obtain its C&C infrastructure. 

Others are learning from its use in the wild. For example, penetration-testing firm RedSiege recently announced the development of GraphStrike, a toolset that works with Cobalt Strike to enable the Cobalt Strike Beacon payload to use the Graph API for HTTPS C&C communications.

Appeal for attackers

Attacker communications with C&C servers can often raise red flags in targeted organizations. The Graph API’s popularity among attackers may be driven by the belief that traffic to known entities, such as widely used cloud services, is less likely to raise suspicions. In addition to appearing inconspicuous, it is also a cheap and secure source of infrastructure for attackers since basic accounts for services like OneDrive are free. 

As awareness grows of this tactic, the number of attackers attempting to leverage Graph may grow further.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.

afeaf8bd61f70fc51fbde7aa63f5d8ad96964f40b7d7fce1012a0b842c83273e –BirdyClient

5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6 – Bluelight

470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3 – Graphon

f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 – Graphite

4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5 – Graphican 

a78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8 – Graphican

02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5  – Graphican

1a87e1b41341ad042711faa0c601e7b238a47fa647c325f66b1c8c7b313c8bdf – SiestaGraph 

fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb – SiestaGraph

7fc54a287c08cde70fe860f7c65ff71ade24dfeedafdfea62a8a6ee57cc91950 – SiestaGraph