Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

BirdyClient (Remote Access Trojan) – Malware

July 12, 2024
Reading Time: 4 mins read
in Malware
BirdyClient (Remote Access Trojan) – Malware

BirdyClient

Addittional names

OneDriveBirdyClient

Type of Malware

Remote Access Trojan

Country of Origin

Unknown

Date of initial activity

2024

Targeted Countries

Ukraine

Associated Groups

It remains unclear who the developers of the threat are

Motivation

Data Theft. Its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it.

Type of information Stolen

Login credentials, Financial Information, Corporate Data

Tools

To date, no related tools have been found

Attack Vectors

Misuse. Microsoft Graph API exploit

Targeted System

Microsoft Graph API

Overview

An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. This technique was most recently used in an attack against an organization in Ukraine, where a previously undocumented piece of malware used the Graph API to leverage Microsoft OneDrive for C&C purposes. The malware found in Ukraine appeared to be named BirdyClient or OneDriveBirdyClient by its developers, as references to both names were found in its code. Its file name, vxdiff.dll, was the same as a legitimate DLL associated with an application called Apoint (apoint.exe), which is driver software for Alps pointing devices, usually found in laptops. Whether the malware was simply masquerading as a legitimate file or being sideloaded by Apoint remains unknown.

Targets

Microsoft Graph API.

How they operate

Analysis of the BirdyClient malware (Trojan.BirdyClient) revealed that its main functionality is to connect to the Microsoft Graph API and use Microsoft OneDrive as a C&C server mechanism to upload and download files from it. The sample also creates the following log file: %AllUsersProfile%/{0134AA2C-03BE-448D-8D28-7FFE94EA3A49}/config/001.temp What is the Graph API? Graph is a Microsoft API designed to allow developers to access resources hosted on Microsoft cloud services, such as Microsoft 365. Authentication is carried out using OAuth access tokens. Graph can be used to access a wide range of data and services such as email, calendar events, files, or devices. Application developers can potentially use it to pull data from one or more Microsoft services and integrate it into their own solutions.

Significant Malware Campaigns

An attack against an organization in Ukraine
References:
  • BirdyClient malware leverages Microsoft Graph API for C&C communicationMalware: Cuckoo Behaves Like Cross Between Infostealer and Spyware
  • Graph: Growing number of threats leveraging Microsoft API
Tags: ApointBirdyClientCloudDLLGraphGraph APIMalwareMicrosoftOneDriveOneDriveBirdyClientThreatsUkraine
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial