GraphWorm Malware Utilizes OneDrive for Stealthy Control

GraphWorm Malware Utilizes OneDrive for Stealthy Control

Posted on By CWS

A China-aligned cyber threat group has advanced its attack strategies, showcasing its latest tool, GraphWorm, which strategically exploits Microsoft OneDrive for command-and-control operations. This sophisticated malware cleverly disguises its communication within a widely trusted cloud service, posing significant challenges to cybersecurity defenses.

Webworm: The Group Behind GraphWorm

The group known as Webworm has a history dating back to 2017 and has expanded its operations from Asia to European nations like Belgium, Italy, Serbia, and Poland. Recent activities also include targeting a university in South Africa, underscoring their broadening scope. Webworm has evolved from using known backdoors like McRat and Trochilus to more sophisticated tools, emphasizing stealth and custom-built solutions.

WeLiveSecurity, in collaboration with Cyber Security News, unveiled these developments, highlighting Webworm’s shift toward stealthier methods. The group’s toolset now includes GraphWorm, alongside a Discord-based backdoor, Choreerp, indicating a strategic pivot in their approach.

Stealthy Operations with GraphWorm

GraphWorm, written in Go, leverages Microsoft’s Graph API to operate exclusively through OneDrive, enabling it to mimic ordinary cloud traffic and evade detection. For each compromised system, a unique OneDrive folder is created to manage files, job instructions, and results from executed commands, effectively isolating each victim’s data.

The initial compromise often involves exploiting vulnerabilities via open-source tools like Nuclei and dirsearch. Additionally, the group has utilized a script targeting SquirrelMail’s known vulnerabilities, aiming to breach exposed web applications.

Expanding Proxy Network for Evasive Tactics

Beyond GraphWorm, Webworm has developed an extensive proxy infrastructure using both open-source and proprietary tools. This includes Wormsrp, a custom fork of the frp tool, and ChainWorm, which creates multiple proxy layers. These proxies, combined with tools like SmuxProxy and WormSocket, complicate efforts to trace cyber activities back to their origins.

The group has also exploited an Amazon S3 bucket to store configurations and exfiltrate data from government entities in Italy and Spain. Security experts advise vigilance in monitoring unusual cloud storage activities and unauthorized network connections.

The ongoing evolution of Webworm’s tactics, including its use of GraphWorm, highlights the critical need for enhanced cybersecurity measures and vigilance against sophisticated threats exploiting trusted platforms like Microsoft OneDrive.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

Phishing Campaign Targets Job Seekers with Fake Google Forms Phishing Campaign Targets Job Seekers with Fake Google Forms Cyber Security News
Microsoft Investigation Copilot Issue On Processing Files  Microsoft Investigation Copilot Issue On Processing Files  Cyber Security News
Securden Unified PAM Vulnerability Let Attackers Bypass Authentication Securden Unified PAM Vulnerability Let Attackers Bypass Authentication Cyber Security News
Kevin Lancaster Joins the usecure Board to Accelerate North American Channel Growth Kevin Lancaster Joins the usecure Board to Accelerate North American Channel Growth Cyber Security News
Timeliner – Windows Forensic Tool for DFIR Investigators Timeliner – Windows Forensic Tool for DFIR Investigators Cyber Security News
Two U.S. CyberSecurity Pros Plead Guilty for Working as ALPHV/BlackCat Affiliates Two U.S. CyberSecurity Pros Plead Guilty for Working as ALPHV/BlackCat Affiliates Cyber Security News