Cybercriminals Hijack Microsoft API for Attacks

Cybercriminals are increasingly harnessing Microsoft Graph API to manage malicious software and evade detection systems. According to researchers from Symantec, such actions are designed to facilitate communication with C2 infrastructure hosted on Microsoft’s cloud services.

Since January 2022, experts have observed active use of the Microsoft Graph API by various hacker groups associated with different nation-states, including notable threat actors such as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig.

The first known instance of Microsoft Graph API exploitation was recorded in June 2021. At that time, the API’s use was linked to a cluster of activities named Harvester, and the attacks employed a specialized implant called Graphon to communicate with Microsoft infrastructure.

Recently, Symantec discovered the use of this same technique against an unspecified organization in Ukraine. In this incident, previously undocumented malware known as BirdyClient (or OneDriveBirdyClient) was employed.

The software module identified during the attack, named “vxdiff.dll”, corresponds to the name of a legitimate DLL associated with the Apoint application (“apoint.exe”). It is designed to connect to Microsoft Graph API and use OneDrive as a C2 server for uploading and downloading files. The method of distributing this DLL file remains unknown, as do the ultimate goals of the cybercriminals.

According to Symantec’s report, the use of Graph API is popular among attackers because traffic to well-known cloud services is less suspicious. Additionally, for criminals, it provides a cost-effective and secure means of acquiring infrastructure, as basic accounts for services like OneDrive are available for free.

The report also notes the potential for abuse of cloud administration commands, which can be utilized by criminals to perform arbitrary actions on virtual machines if they have privileged access.

This is often achieved through the compromise of external contractors or partners who have privileged access to manage internal cloud environments.