BirdyClient | |
Addittional names | OneDriveBirdyClient |
Type of Malware | Remote Access Trojan |
Country of Origin | Unknown |
Date of initial activity | 2024 |
Targeted Countries | Ukraine |
Associated Groups | It remains unclear who the developers of the threat are |
Motivation | Data Theft. Its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it. |
Type of information Stolen | Login credentials, Financial Information, Corporate Data |
Tools | To date, no related tools have been found |
Attack Vectors | Misuse. Microsoft Graph API exploit |
Targeted System | Microsoft Graph API |
Overview
An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. This technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes. The malware found in Ukraine appeared to be named BirdyClient or OneDriveBirdyClient by its developers, as references to both names were found in its code. Its file name, vxdiff.dll, was the same as a legitimate DLL associated with an application called Apoint (apoint.exe), which is driver software for Alps pointing devices, usually found in laptops. Whether the malware was simply masquerading as a legitimate file or being sideloaded by Apoint remains unknown.Targets
Microsoft Graph API.
