An ongoing menace marketing campaign dubbed VEILDrive has been noticed benefiting from professional providers from Microsoft, together with Groups, SharePoint, Fast Help, and OneDrive, as a part of its modus operandi.
“Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware,” Israeli cybersecurity firm Hunters mentioned in a brand new report.
“This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems.”
Hunters mentioned it found the marketing campaign in September 204 after it responded to a cyber incident concentrating on a crucial infrastructure group in the US. It didn’t disclose the identify of the corporate, as a substitute giving it the designation “Org C.”
The exercise is believed to have commenced a month prior, with the assault culminating within the deployment of a Java-based malware that employs OneDrive for command-and-control (C2).
The menace actor behind the operation is claimed to have despatched Groups messages to 4 workers of Org C by impersonating an IT workforce member and requesting distant entry to their methods through the Fast Help software.
What made this preliminary compromise technique stand out is that the attacker utilized a consumer account belonging to a possible prior sufferer (Org A), somewhat than creating a brand new account for this function.
“The Microsoft Groups messages acquired by the focused customers of Org C had been made attainable by Microsoft Groups’ ‘Exterior Entry‘ performance, which permits One-on-One communication with any exterior group by default,” Hunters mentioned.
Within the subsequent step, the menace actor shared through the chat a SharePoint obtain hyperlink to a ZIP archive file (“Client_v8.16L.zip”) that was hosted on a distinct tenant (Org B). The ZIP archive got here embedded with, amongst different recordsdata, one other distant entry software named LiteManager.
The distant entry gained through Fast Help was then used to create scheduled duties on the system to periodically execute the LiteManager distant monitoring and administration (RMM) software program.
Additionally downloading is a second ZIP file (“Cliento.zip”) utilizing the identical technique that included the Java-based malware within the type of a Java archive (JAR) and the whole Java Growth Equipment (JDK) to execute it.
The malware is engineered to hook up with an adversary-controlled OneDrive account utilizing hard-coded Entra ID (previously Azure Energetic Listing) credentials, utilizing it as a C2 for fetching and executing PowerShell instructions on the contaminated system through the use of the Microsoft Graph API.
It additionally packs in a fallback mechanism that initializes an HTTPS socket to a distant Azure digital machine, which is then utilized to obtain instructions and execute them beneath the context of PowerShell.
This isn’t the primary time the Fast Help program has been used on this method. Earlier this Might, Microsoft warned {that a} financially motivated cybercriminal group referred to as Storm-1811 misused Fast Help options by pretending to be IT professionals or technical help personnel to achieve entry and drop Black Basta ransomware.
The event additionally comes weeks after the Home windows maker mentioned it has noticed campaigns abusing professional file internet hosting providers like SharePoint, OneDrive, and Dropbox as technique of evading detection.
“This SaaS-dependent strategy complicates real-time detection and bypasses conventional defenses,” Hunters mentioned. “With zero obfuscation and well-structured code, this malware defies the typical trend of evasion-focused design, making it unusually readable and straightforward.”
