Cloud storage lockers from Microsoft and Google used to store and spread state-sponsored malware

Black Hat State-sponsored cyber spies and criminals are increasingly using legitimate cloud services to attack their victims, according to Symantec's threat hunters who have spotted three such operations over recent months, plus new data theft and other malware tools in development by these goons.

The security firm's Marc Elias discussed the different groups, and their favorite cloud platforms, during a Wednesday talk at the Black Hat infosec conference. He told The Register criminals use clouds many of the same reasons as legitimate organizations, plus the fact that they make it easier to avoid being caught snooping around on victims' networks.

"One of the benefits is the infrastructure costs are zero for the nation-state groups," Elias, a threat hunter at Symantec, explained during an interview on the outskirts of the annual hacker conference in Las Vegas.

"They can create free accounts on Google Drive or Microsoft, and they don't have to pay anything to maintain that infrastructure," he added. "Also, it is difficult to detect these kinds of attacks because the traffic is encrypted, and it's to legitimate domains."

Some of the more recent campaigns include a backdoor that Symantec named “Grager” after spotting it being used against three organizations in Taiwan, Hong Kong and Vietnam in April. This piece of malware used Microsoft's Graph API to communicate with the attacker's command and control server, hosted on Microsoft OneDrive.

The crew behind the Grager backdoor "registered a malicious domain mimicking the real 7-Zip software, and redirected victims to that malicious domain via search engines. So that was a very interesting infection chain – the attackers tried to be very stealthy in that campaign," Elias said.

Symantec's threat intel group published research on Grager and several other nation-state campaigns abusing cloud tools today. With Grager, they noted tentative links to a group known as UNC5330 suspected to have ties to the Chinese government.

The domain hosting Grager – hxxp://7-zip.tw/a/7z2301-x64[.]msi – is a typosquatted URL used to nab folks searching for the real 7-Zip open-source file archiving tool. Once the malware is downloaded, it drops a trojanized version of 7-Zip onto the infected machine, which then installs the real 7-Zip software, a malicious file named epdevmgr[.]dll, Tonerjam malware, and the Grager backdoor.

Mandiant previously connected Tonerjam to UNC5330. "And in our telemetry as well, we found the same Tonerjam sample deployed by another benign executable associated by Mandiant to the same group," Elias observed.

According to Elias, in March his team found another backdoor believed to be under development and named "Moon_Tag" by its developer. This malware is based on code published in this Google Group and contains functionality for communicating with the Graph API. Symantec attributed MoonTag to a Chinese-speaking group, based on the Google Group and the infrastructure used.

• Faulty instructions in Alibaba's T-Head C910 RISC-V CPUs blow away all security
• SAP Core AI bugs allowed access to internal network servers, say researchers
• Lights, camera, AI! Real-time deepfakes coming to DEF CON
• Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets

Even more recently, Symantec spotted a backdoor called Onedrivetools that was deployed against IT services firms in the US and Europe. This software nasty first drops a downloader that authenticates to Graph AI and then downloads and executes a second payload stored in OneDrive. The main payload, however, is a publicly available file from GitHub.

The malware creates a new folder in OneDrive for each compromised computer and uploads a file to OneDrive that alerts the attackers to a new infection. This backdoor also gives the criminals access to victims' files, which they then exfiltrate by downloading from OneDrive. Microsoft’s cloud file sharing tool is also source of malware sent to infected machines.

Symantec notes that in these attacks, the crew used a tunneling tool – Whipweave – that they suspect is built upon the open source Chinese VPN Free Connect (FCN) project. This connects to the Orbweaver Operational Relay Box (ORB) network to further obfuscate the malicious traffic.

"In these past two years we have seen quite a lot of nation-state APT groups from diverse geographics leveraging cloud services for their campaigns to be stealthy," Elias warned – adding that he only expects this trend to grow, because of the benefits to attackers.

To help network defenders, Symantec has also published a list of indicators of compromise and MITRE tactics, techniques and procedures used by the attackers – so check these out, too. And happy hunting. ®