Hackers are leveraging Microsoft OneDrive in a multi-stage espionage campaign that aims to target high-ranking government officials in Western Asia. Researchers at Trellix released a report detailing the campaign. The cybercriminals are using a malware named “Graphite” by researchers because it uses Microsoft’s Graph API to leverage OneDrive as a command and control server. The attack leverages a MSHTML remote code execution vulnerability that allows them to execute a malicious executable in memory.
Trellix reported that the Graphite malware uses a special communication that allows it to go unnoticed in the victims’ systems as it only connects to legitimate Microsoft domains. Trellix stated that its researchers were surprised to see Microsoft OneDrive used as a Command and Control Server mechanism. According to Trellix, the attack was successful. The goal of the attackers remains unclear as an investigation remains in progress. Although the attack was prepared in July 2021, it was not deployed until between September and November 5.
Read More: Trellix finds OneDrive malware campaign targeting gov’t officials in Western Asia