A new multi-stage espionage campaign has been discovered that is targeting high-ranking government officials and individuals in the defense industry in Western Asia. First signs of activity from this campaign were seen as far back as June of 2021, with more victims reporting the attack in September and October of the same year.
This campaign is unique in the fact that it uses Microsoft OneDrive as its command-and-control server, relying on the synchronization feature of the utility to execute encrypted commands on the victim system. The initial infection vector for this campaign is via Microsoft Excel files containing an exploit for the MSHTML remote code execution vulnerability tracked as CVE-2021-40444. Once this exploit is launched on a vulnerable system, the malware executes another binary that acts as the downloader for the OneDrive stage of the malware, which has been dubbed Graphite. From there, the malware has been seen downloading and executing PowerShell Empire as its final payload, to be used for post-exploitation activities.
Due to how the infrastructure, malware, and operation has been set up, it is believed that the threat actor behind this campaign is the Russia-based APT28 group, also known as Fancy Bear. This threat group has been linked with numerous high-profile campaigns in recent years, including attacks related to the 2016 U.S. presidential elections.