New Threat Emerges: Webworm Utilizes Microsoft’s OneDrive for Malicious Activities
A rapidly evolving cyber threat group known as Webworm has recently displayed its sophisticated capabilities by deploying a new backdoor called GraphWorm. This innovative malware routes command-and-control traffic through Microsoft OneDrive, cleverly concealing illicit activities within one of the most reputable cloud platforms globally. This clever tactic makes identifying malicious actions significantly more difficult, as the network traffic appears to be part of routine cloud storage operations.
The malware, internally referred to as OverOneDrive, communicates solely through Microsoft’s Graph API, which enables it to blend seamlessly with legitimate OneDrive traffic. The findings on this alarming development stem from meticulous research conducted by WeLiveSecurity, which was subsequently shared with Cyber Security News. This breakthrough underscores a notable evolution in Webworm’s tactics as they move away from older toolsets like McRat and Trochilus.
Webworm’s operational history dates back to at least 2017, during which time the group has broadened its targeting strategies significantly. Originally focused primarily on organizations within Asia, Webworm has expanded its reach to include European government entities in countries such as Belgium, Italy, Serbia, and Poland, along with targets in South Africa. The group initiates access through open-source reconnaissance tools, with notable examples being Nuclei, which serves as a vulnerability scanner, and dirsearch, which functions to probe web paths. Furthermore, they have demonstrated proficiency in exploiting a post-authentication remote code execution vulnerability in SquirrelMail to compromise web applications that are exposed.
GraphWorm itself is written in the Go programming language, a choice that underscores the malware’s advanced design. Upon compromise, it generates a unique victim identifier by amalgamating details gleaned from network adapters, processor information, and device serial numbers. For each infected machine, GraphWorm sets up a dedicated OneDrive folder comprising three subfolders, which facilitate file storage, command reception, and result transmission. This structure allows the malware to perform a variety of operations, including uploading and downloading files, executing shell commands via cmd.exe, and modifying sleep intervals to evade detection. Significantly, the results from executed commands are recorded in a file named beaconshelloutput.txt, which is then uploaded back to OneDrive utilizing Microsoft’s createUploadSession API endpoint. This technique permits large file transfers without triggering the usual security alerts associated with unusual data transfers.
In addition to the GraphWorm backdoor, Webworm has cultivated an extensive proxy infrastructure by leveraging both open-source and custom tools. Among these are Wormsrp, a modified iteration of the frp reverse proxy, ChainWorm, which chains multiple proxy hops, and SmuxProxy, which is based on the iox port-forwarding tool. Another tool, WormSocket, routes traffic through WebSocket connections. These measures not only enhance their operational security but also make it increasingly challenging for security teams to identify and mitigate threats stemming from this group. Researchers have also uncovered that Webworm utilized a compromised Amazon S3 bucket to store various configuration files and exfiltrated data. This included sensitive information such as virtual machine snapshots from an Italian government entity and confidential documents belonging to a Spanish government body.
Given the sophistication and evolving nature of Webworm’s tactics, security teams must adopt a multi-faceted approach to detect and counteract their activities effectively. Organizations are advised to monitor for unusual outbound connections directed towards cloud storage services, particularly any traffic patterns linked to OneDrive that deviate from standard user behavior. Regular audits of scheduled tasks and registry run keys can help identify unauthorized entries, while vigilance is necessary for processes leveraging cmd.exe or PowerShell to download files from external sources.
Considering Webworm’s heavy reliance on legitimate cloud infrastructure, traditional network-based detection mechanisms are likely insufficient. Organizations are encouraged to implement behavioral analytics along with cloud access security broker solutions to pinpoint anomalous activities that may arise within trusted platforms. As cyber threats evolve, vigilance and adaptation remain crucial in ensuring cybersecurity resilience. The emergence of GraphWorm is a stark reminder of the multifaceted challenges that lie ahead for security professionals in their mission to protect sensitive information in an increasingly interconnected world.
In conclusion, as Webworm continues to refine its strategies and broaden its target engagements, collective efforts must be mobilized to bolster defenses against this malicious adversary. The effective protection of digital assets hinges on adaptability, proactive monitoring, and the application of advanced security measures tailored to counteract evolving threat landscapes.
Source: Cyber Security News