State-sponsored cyber operatives are increasingly leveraging legitimate cloud storage services from major providers like Microsoft and Google to deploy and spread malware, according to recent findings by Symantec’s threat intelligence team. This development highlights a disturbing trend where state-backed actors utilize cloud platforms to evade detection and minimize operational costs.
Marc Elias, a threat hunter at Symantec, unveiled these insights during a presentation at the Black Hat infosec conference in Las Vegas. In his address, Elias detailed how cybercriminals are exploiting cloud storage systems for malicious purposes, driven by both financial efficiency and the challenge of detection.
“The infrastructure costs for these nation-state groups are essentially non-existent,” Elias remarked. “They can create free accounts on services like Google Drive and Microsoft OneDrive, avoiding the expenses associated with traditional infrastructure.” He added that the encrypted nature of cloud traffic and its alignment with legitimate domains makes these attacks particularly difficult to identify.
Among the recent threats, Symantec identified a backdoor malware named “Grager,” which was discovered targeting organizations in Taiwan, Hong Kong, and Vietnam. The Grager malware utilizes Microsoft’s Graph API to communicate with its command and control server, hosted on OneDrive. The attackers employed a sophisticated infection chain by mimicking the legitimate 7-Zip software, redirecting victims to a malicious domain through search engines.
The domain hosting Grager – hxxp://7-zip.tw/a/7z2301-x64[.]msi – was a carefully crafted typo-squatted URL designed to mislead users searching for the genuine 7-Zip tool. The malware installation involved a trojanized version of 7-Zip, which deployed additional malicious components, including the Grager backdoor and Tonerjam malware. Symantec’s research suggests links between Grager and a group known as UNC5330, which is suspected to have affiliations with the Chinese government.
In another notable case, Symantec uncovered a developing backdoor named “Moon_Tag,” linked to code shared on a Google Group. This malware, attributed to a Chinese-speaking group, also uses the Graph API for communication. The research indicates that Moon_Tag’s development aligns with patterns observed in other Chinese state-sponsored cyber activities.
Additionally, Symantec detected a backdoor called “Onedrivetools,” targeting IT service providers in the US and Europe. This malware initially installs a downloader that authenticates to Graph AI, subsequently retrieving and executing a second payload stored in OneDrive. The primary payload, however, is sourced from a publicly available GitHub repository. Onedrivetools creates a new folder for each infected machine in OneDrive, which is used to alert the attackers of new infections and facilitate the exfiltration of sensitive data.
Symantec’s analysis also identified the use of a tunneling tool named Whipweave, suspected to be based on the open-source Chinese VPN Free Connect (FCN) project. This tool connects to the Orbweaver Operational Relay Box (ORB) network to further obscure the malicious traffic.
Elias cautioned that the trend of nation-state actors utilizing cloud services for cyber operations is likely to increase, given the advantages it offers attackers. To aid network defenders, Symantec has published indicators of compromise and a detailed analysis of the tactics, techniques, and procedures employed by these threat actors.
For those tasked with defending against these sophisticated threats, the published resources and ongoing vigilance are crucial in countering the evolving landscape of state-sponsored cyber espionage.
Related topics:
Why Hasn’t Sora Been Released Yet?Â