BirdyClient | |
Addittional names | OneDriveBirdyClient |
Type of Malware | Remote Access Trojan |
Country of Origin | Unknown |
Date of initial activity | 2024 |
Targeted Countries | Ukraine |
Associated Groups | It remains unclear who the developers of the threat are |
Motivation | Data Theft. Its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it. |
Type of information Stolen | Login credentials, Financial Information, Corporate Data |
Tools | To date, no related tools have been found |
Attack Vectors | Misuse. Microsoft Graph API exploit |
Targeted System | Microsoft Graph API |
Overview
An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services.
This technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes.
The malware found in Ukraine appeared to be named BirdyClient or OneDriveBirdyClient by its developers, as references to both names were found in its code. Its file name, vxdiff.dll, was the same as a legitimate DLL associated with an application called Apoint (apoint.exe), which is driver software for Alps pointing devices, usually found in laptops. Whether the malware was simply masquerading as a legitimate file or being sideloaded by Apoint remains unknown.
Targets
Microsoft Graph API.
How they operate
Analysis of the BirdyClient malware (Trojan.BirdyClient) revealed that its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it. The sample also creates the following log file:
%AllUsersProfile%/{0134AA2C-03BE-448D-8D28-7FFE94EA3A49}/config/001.temp
What is the Graph API?
Graph is a Microsoft API designed to allow developers to access resources hosted on Microsoft cloud services, such as Microsoft 365. Authentication is carried out using OAuth access tokens.
Graph can be used to access a wide range of data and services such as email, calendar events, files, or devices. Application developers can potentially use it to pull data from one or more Microsoft services and integrate it into their own solutions.
Significant Malware Campaigns
An attack against an organization in Ukraine
