TL;DR
Hunters’ Team AXON has identified and is currently monitoring an ongoing threat campaign, dubbed “VEILDrive.” This sinister campaign poses a significant risk to organizations that rely on Microsoft’s SaaS suite. The campaign was originally detected as part of an AXON engagement focused on mitigating malicious activities that infiltrated one of our customers’ infrastructures. During the investigation, analysts uncovered additional Microsoft infrastructure components linked to other compromised organizations, indicating a wider network of victims.
The attackers adeptly utilized various Microsoft SaaS services and applications, including Microsoft Teams, SharePoint, Quick Assist, and OneDrive, as crucial elements in their campaign. One particularly alarming tactic involved leveraging a unique OneDrive-based Command & Control (C&C) mechanism integrated into custom-built malware found within the victims’ systems. Preliminary investigations suggest this campaign likely has Russian origins, raising alarms about the potential geopolitical implications of the attacks.
In response to these findings, Team AXON has proactively reported its discoveries to Microsoft, aiming to assist in dismantling the actor’s infrastructure and strategies. Additionally, outreach has been made to multiple victims we’ve identified during our comprehensive research, offering critical insights and guidance to enhance their security postures.
Executive Summary
Hunters’ Team AXON has uncovered and is actively monitoring an ongoing threat campaign dubbed “VEILDrive.” The investigation commenced in September 2024, triggered by a response to an attack on a critical infrastructure entity in the United States. VEILDrive employs Microsoft’s SaaS suite—especially Teams, SharePoint, Quick Assist, and OneDrive—to execute its tactics, diverging significantly from traditional threat patterns. Notably, the threat actor’s innovative use of a OneDrive-based Command & Control (C&C) method embedded in Java-based malware poses a serious risk to affected environments.
The malware associated with VEILDrive is a Java-based .jar file that notably lacks obfuscation, making it uniquely readable and well-structured. Despite this apparent transparency, the malware eluded detection by a top-tier Endpoint Detection and Response (EDR) tool, as well as all security engines in VirusTotal, showcasing a critical vulnerability in existing detection mechanisms. This investigation highlights an urgent need for enhanced detection strategies that are capable of identifying even the most straightforward coding structures in high-risk environments. The report aims to provide valuable insights into VEILDrive’s methodologies, the shortcomings of current detection approaches, and equip the cybersecurity community with the necessary tools to combat these evolving threats.
Background
Beginning in September 2024, Team AXON responded to a significant incident targeting a critical infrastructure company in the United States. This deep dive revealed a unique threat campaign, “VEILDrive,” distinguished by its innovative tactics, techniques, and procedures (TTPs) that markedly differed from conventional attack patterns. Notably, VEILDrive’s malware incorporated a novel OneDrive-based Command & Control (C&C) method systematically integrated into Java-based malware deployed on compromised devices.
The malware, identified as a .jar file, showcased two striking features that set it apart from typical attack code: a lack of obfuscation and structured coding, which often confounds detection systems. Despite its deceptively simple design, it successfully bypassed security protocols, going unnoticed by both the top-tier Endpoint Detection and Response tools in the victim’s environment, as well as all VirusTotal engines. Such statistics emphasize the unpredictability of current detection strategies and underline the necessity for continuous vigilance against less conventional attack methodologies.
Team AXON has diligently reported its findings to Microsoft and other impacted organizations, providing actionable intelligence that can help mitigate this ongoing threat.
The VEILDrive Attack Path
In early September 2024, one of Hunters’ customers, referred to as “Org C,” sought Team AXON’s expertise in navigating an active incident. The case centered around a specific device within Org C that had been compromised through social engineering tactics. An alert was triggered by a suspiciously created scheduled task on one employee’s device, leading to further investigation.
The sequence of events unfolded as follows:
Step 1
- Multiple “MessageSent” and “ChatCreated” events were identified, all originating from the previously compromised user of Org A, owned by the threat actor.
- Only one “MemberAdded” event was identified, targeting the compromised user of Org A.
- This specific “MemberAdded” event occurred through the only account that accepted the threat actor’s access request, which led to the creation of a one-on-one chat.
- Detailed data from the organization’s EDR telemetry confirmed that the user accepted the request and unwittingly granted the attacker initial access via successful social engineering.
The aforementioned insights not only underscore the increasingly prevalent phishing attempts using Microsoft Teams and similar platforms but also highlight the crucial role of monitoring M365 audit logs and correlating them with EDR logs in investigations.
Step 2
The attacker successfully lured the Org C victim to execute Microsoft’s Quick Assist tool, providing them with an access code via Microsoft Teams, leading to interactive control over the victim’s computer.
Step 3
The attacker sent a malicious URL via Microsoft Teams, directing the victim to Org B’s SharePoint, where malware files awaited to be downloaded.
Step 4
Subsequent attempts were made by the attacker to conduct manual malicious operations via remote access. These targeted persistence efforts included creating scheduled tasks to ensure repeated execution of one of the attacker-downloaded files—a remote management tool named LiteManager.
Step 5
Following these actions, the actor proceeded to manually download another .zip file named Cliento.zip. Links for this download were also shared in chats between the victim and the threat actor, with the .zip file containing the main .JAR malware and the Java Development Kit necessary for execution.
Step 6
Subsequently, the threat actor executed the .JAR malware utilizing a specific command related to the path where the downloaded files were stored.
Step 7
Numerous network activities and command executions associated with the malicious .JAR file were documented, including:
- Multiple outgoing DNS Requests and network activity linked to safeshift390-my.sharepoint.com, graph.microsoft.com, and login.microsoftonline.com.
- Execution of local enumeration commands to gather system specs, time information, and USB device enumeration.
Step 8
The attacker established a registry run key for the persistent execution of the Java malware, creating a long-term backdoor into the compromised environment.
Fortunately, the containment and eradication process for this incident was both rapid and effective; forensic evidence indicated no substantial damage occurred to the victim’s host or organization. Significantly, the attack flow illustrated the attacker’s utilization of commonly employed Microsoft services to obfuscate their actions and facilitate easier access.
Below is a summary of the Microsoft services leveraged by the threat actor:
| Service | Tenant | Purpose |
|---|---|---|
| Microsoft Teams | From Org A to Org C | Spear Phishing Messages to lure the victim into executing the remote management tool. |
| Quick Assist | Org C | Threat actor sends Quick Assist code via Teams message to gain initial remote control. |
| SharePoint | From Org B to Org C | Malicious files hosted in Org B’s SharePoint tenant were shared with Org C. |
| Graph API | From Org C to N/A | Indications of malicious access to Microsoft Graph initiated by the malicious Cliento.jar. |
At this stage, we identified the four Microsoft services/apps involved in this campaign. Although the intent behind the Graph API usage remained ambiguous, several hypotheses emerged during our ongoing incident response efforts. To gain clarity on the Cliento.jar malware and its workings within OneDrive/SharePoint, we proceeded with a detailed analysis of the malware’s behavior.
“ODC2” Java Malware – OneDrive as Command & Control
The investigation employed a Java Decompiler, “JDGUI,” to examine the Client.jar malware, now referred to as “ODC2.” Initial examinations revealed correlations with observed PowerShell executions from the incident investigation, particularly referencing the included “jPowerShell” Java package—a PowerShell wrapper for Java. Additional packages, such as “commands,” “connection,” “launcher,” and “connect,” provided insights into the malware’s structural design.
Further scrutiny of the Main.class within the “launcher” package exposed hard-coded credentials utilized by the malware, which was particularly alarming. This analysis likely aligns with the earlier indications that the malware conducted “on-behalf” authentications to Entra ID while utilizing the hard-coded refresh token alongside the corresponding client ID and client secret for access permissions across specific OneDrive accounts claimed by the actor.
As the malware executes its functions, the “odRun” method initializes connections to various critical IP addresses, likely indicating the attacker’s infrastructure. One notable IP, associated with Azure, raises questions about its broader implications in connections established through OneDrive.
HTTPS Socket C2
Digging deeper into the malware’s functionality reveals that it routinely establishes and maintains a connection for command execution and data exchange. Utilizing this connection, the malware can receive commands and execute them using the jPowerShell wrapper, indicating a sophisticated level of command and control.
OneDrive Command & Control
Central to this malware’s functionality is its unique use of OneDrive for command and control activities, where critical system identifiers such as UUIDs play pivotal roles in identifying the unique compromised devices. In practice, the malware orchestrates a two-pronged approach for command and control via:
- HTTPS Socket C2: Traditional command and control through a server located on Azure.
- OneDrive-based C2: A more novel and complex mechanism whereby commands are relayed and executed based on interactions with designated OneDrive files.
Each method facilitates intricate communication and execution pathways, showcasing the depth of innovation embedded in this threat actor’s approach.
Microsoft Services/Apps as Attacker’s Infrastructure
Upon thorough analysis, it became evident that the VEILDrive attack intricately blended simplistic techniques with innovative tactics. One critical observation from our investigations was the extensive utilization of Microsoft infrastructure and services integrated throughout the campaign. Following a detailed malware analysis, we gained a clearer understanding of the attacker’s exploitation of various services and their specific purposes. Below is an expanded summary:
| Service | Tenant | Purpose |
|---|---|---|
| Microsoft Teams | From Org A to Org C | Spear Phishing Messages aimed at luring users to execute the remote management tool. |
| Quick Assist | Org C | Facilitated initial remote control through Quick Assist code exchange via Teams chat. |
| SharePoint | From Org B to Org C | Malicious files were hosted and shared via the SharePoint tenant of Org B. |
| Azure VM | Attacker’s infrastructure | The malware utilized communication with an Azure Virtual Machine for HTTPS Socket C2 needs. |
| OneDrive (Graph API) | Between Attacker’s OneDrive & Org C host(s) | Used for remote command execution and file transfer capabilities targeting Org C hosts. |
| Azure AD App Registration | Between Attacker’s OneDrive & Org C host(s) | Application designated for authentication on behalf of Azure AD user accounts owned by the threat actor. |
Continued surveillance of these activities and understanding the overarching attack strategies employed is crucial in ensuring robust defenses against future threats.
Indicators of Compromise (IOCs)
Based on analytical findings, several Entra ID tenants and application client IDs utilized by the attacker have been identified:
- Known Entra ID tenants:
- C5f077f6-5f7e-41a3-8354-8e31d50ee4d
- 893e5862-3e08-434b-9067-3289bec85f7d
- Known application client IDs:
- B686e964-b479-4ff5-bef6-e360321a9b65
- 2c73cab1-a8ee-4073-96fd-38245d976882
- Entra ID tenants linked to the attacker (monitor for DNS requests to these domains):
- SafeShift390[.]onmicrosoft[.]com
- GreenGuard036[.]onmicrosoft[.]com
- File IOCs (SHA256) discovered during the investigation:
- ROMServer.exe: a515634efa79685970e0930332233aee74ec95aed94271e674445712549dd254
- HookDrv.dll: 1040aede16d944be8831518c68edb14ccbf255feae3ea200c9401186f62d2cc4
- ROMFUSClient.exe: 7f61ff9dc6bea9dee11edfbc641550015270b2e8230b6196e3e9e354ff39da0e
- AledensoftIpcServer.dll: d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
- ROMwln.dll: 7f33398b98e225f56cd287060beff6773abb92404afc21436b0a20124919fe05
- Additional IP addresses of interest:
- 40.90.196[.]221
- 40.90.196[.]228
- 38.180.136[.]85
- 213.87.86[.]192
Hunting Queries
In conjunction with the IOCs highlighted above, we have developed multiple threat-hunting queries designed to detect malicious attacks originating from the same actor or sharing comparable characteristics and TTPs. The recommended time frame for hunting concerning VEILDrive extends back to July 2024.
HUNTING QUERY 1: Javaw Spawning Powershell with Specific Flags – Unusual Behavior
This query aims to uncover suspicious instances where Powershell is spawned by javaw.exe with specific command line flags historically used by the threat actor.
SELECT EVENT_TIME,
AGENT_ID,
PARENT_PROCESS_NAME,
PARENT_PROCESS_COMMANDLINE,
INITIATING_PROCESS_NAME,
INITIATING_PROCESS_COMMANDLINE,
TARGET_PROCESS_NAME,
TARGET_PROCESS_COMMANDLINE,
TARGET_PROCESS_OS_PID
FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS
WHERE 1=1
AND PARENT_PROCESS_NAME ILIKE '%javaw%'
AND INITIATING_PROCESS_NAME ILIKE '%cmd%'
AND TARGET_PROCESS_NAME ILIKE '%powershell%'
AND TARGET_PROCESS_COMMANDLINE ILIKE 'powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile %'
AND EVENT_TIME > current_timestamp - interval '60d'HUNTING QUERY 2: ROM Tool Persistence via Scheduled Tasks
This query will identify any instances of scheduled tasks linked to the execution of a ROM tool utilized by the actor for persistence.
SELECT EVENT_TIME AS EVENT_TIME,
AID AS AGENT_ID,
CID AS COMPUTER_ID,
EVENT_SIMPLE_NAME AS EVENT_NAME,
RAW:TaskName AS TASK_NAME,
RAW:TaskExecCommand AS TASK_EXEC_COMMAND,
RAW:TaskAuthor AS TASK_AUTHOR,
RAW:UserName AS USER_NAME
--- Adjust according to your EDR of choice
FROM RAW.CROWDSTRIKE_RAW_EVENTS
WHERE EVENT_SIMPLE_NAME = 'ScheduledTaskRegistered'
AND TASK_EXEC_COMMAND ILIKE '%romserver%'
AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'HUNTING QUERY 3: Non-Organizational Users Sharing Links to Third-Party Sharepoint Domains via Microsoft Teams
This query aims to uncover instances of SharePoint links shared in Teams chats when the domain of those links is not associated with any chat participants—indicative of potential phishing attempts.
SET YOUR_ORGANIZATION_NAME = 'hunters';
SELECT EVENT_TIME,
ORGANIZATION_ID AS ORG_ID,
OPERATION AS EVENT_TYPE,
SPLIT_PART(LOWER(SPLIT_PART(USER_ID, '@', 2)), '.', 1) AS SENDER_ORG_DOMAIN,
RECORD_SPECIFIC_DETAILS:message_ur_ls AS MESSAGE_URLS,
WORKLOAD AS WORKLOAD,
USER_ID AS USER_ID,
RECORD_SPECIFIC_DETAILS:chat_thread_id AS CHAT_THREAD_ID,
RECORD_SPECIFIC_DETAILS:communication_type AS COMMUNICATION_TYPE,
RECORD_SPECIFIC_DETAILS:members[0].DisplayName AS MEMBER_DISPLAY_NAME,
RECORD_SPECIFIC_DETAILS:members[0].UPN AS MEMBER_UPN,
RECORD_SPECIFIC_DETAILS:members[0] AS MEMBERS,
RECORD_SPECIFIC_DETAILS:resource_tenant_id AS RESOURCE_TENANT_ID,
RECORD_SPECIFIC_DETAILS
FROM RAW.O365_AUDIT_LOGS
WHERE NOT USER_ID ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%'
AND (NOT (MESSAGE_URLS ILIKE '%' || SENDER_ORG_DOMAIN || '%') AND MESSAGE_URLS ILIKE '%sharepoint%')
AND NOT MESSAGE_URLS ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%'
AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'HUNTING QUERY 4: Microsoft Teams – Phishing Detection – Multiple DM’s from Non-Common Domains
This query detects messages sent in one-on-one chats by external users from non-familiar domains, filtering extensively used domains based on historical data.
SET YOUR_DOMAIN_NAME = 'hunters';
WITH COMMONLY_USED_DOMAINS AS (
SELECT LOWER(SPLIT_PART(USER_ID , '@', 2)) AS DOMAIN_COMMONLY_USED,
MIN(EVENT_TIME) AS MIN_EVENT_TIME,
MAX(EVENT_TIME) AS MAX_EVENT_TIME,
ARRAY_AGG(DISTINCT OPERATION) AS OPERATIONS,
COUNT(*) AS COUNTER
FROM RAW.O365_AUDIT_LOGS
WHERE WORKLOAD IN ('MicrosoftTeams', 'OneDrive')
AND EVENT_TIME > CURRENT_TIMESTAMP - interval '90d'
AND USER_ID ILIKE '%@%'
GROUP BY DOMAIN_COMMONLY_USED
HAVING COUNTER > 20
),
LATEST_EXTERNAL_DOMAINS AS (
SELECT USER_ID AS LATEST_EXT_USERS,
LOWER(SPLIT_PART(USER_ID , '@', 2)) AS USER_DOMAIN,
MIN(EVENT_TIME) AS MIN_EVENT_TIME,
MAX(EVENT_TIME) AS MAX_EVENT_TIME,
ARRAY_AGG(DISTINCT OPERATION) AS OPERATIONS,
ARRAY_AGG(DISTINCT RECORD_SPECIFIC_DETAILS:communication_type) AS COMMUNICATION_TYPE,
COUNT(*) AS COUNTER
FROM RAW.O365_AUDIT_LOGS
WHERE EVENT_TIME > CURRENT_TIMESTAMP - interval '50d'
AND NOT USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%'
AND NOT USER_ID IN ('app@sharepoint')
AND USER_ID ILIKE '%@%'
AND USER_DOMAIN NOT IN (SELECT DISTINCT DOMAIN_COMMONLY_USED FROM COMMONLY_USED_DOMAINS)
AND OPERATION IN ('MemberAdded', 'ChatCreated')
AND RECORD_SPECIFIC_DETAILS:communication_type="OneOnOne"
GROUP BY USER_ID
HAVING COUNT(*) > 5
)
SELECT EVENT_TIME,
ORGANIZATION_ID AS ORG_ID,
WORKLOAD AS WORKLOAD,
OPERATION AS OPERATION,
USER_ID AS USER_ID,
LOWER(SPLIT_PART(USER_ID , '@', 2)) AS USER_DOMAIN,
RECORD_SPECIFIC_DETAILS:chat_thread_id AS CHAT_THREAD_ID,
RECORD_SPECIFIC_DETAILS:communication_type AS COMMUNICATION_TYPE,
RECORD_SPECIFIC_DETAILS:members[0].DisplayName AS MEMBER_DISPLAY_NAME_0,
RECORD_SPECIFIC_DETAILS:members[0].UPN AS MEMBER_UPN_0,
RECORD_SPECIFIC_DETAILS:members[0] AS MEMBERS_0,
RECORD_SPECIFIC_DETAILS:members[1].DisplayName AS MEMBER_DISPLAY_NAME_2,
RECORD_SPECIFIC_DETAILS:members[1].UPN AS MEMBER_UPN_2,
RECORD_SPECIFIC_DETAILS:members[1] AS MEMBERS_2,
RECORD_SPECIFIC_DETAILS:resource_tenant_id AS RESOURCE_TENANT_ID,
RECORD_SPECIFIC_DETAILS,
RAW:ClientIP AS CLIENT_IP
FROM RAW.O365_AUDIT_LOGS
WHERE 1=1
AND RECORD_SPECIFIC_DETAILS:communication_type="OneOnOne"
AND (
RECORD_SPECIFIC_DETAILS:members[0].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS)
OR RECORD_SPECIFIC_DETAILS:members[1].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS)
)
AND USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%'
AND OPERATION = 'MemberAdded'
AND EVENT_TIME > CURRENT_TIMESTAMP - interval '50d';The logic behind the above queries depicts the essence of proactive monitoring, aiming to underline potential vulnerabilities posed by evolving threats.
Hygiene Nuggets
To diminish the risk of successful phishing attacks through Microsoft Teams and associated platforms, consider the following strategic actions:
- By default, Microsoft Teams allows “External Access,” enabling one-on-one chats with external contacts. If this feature is not essential, consider disabling it to minimize risk.
- In cases where external communication is necessary, enforce strict limitations to only trusted domains.
- Restrict external participant access to only select, high-privileged users to manage communications effectively.
As cybercriminals increasingly exploit remote administration tools, organizations must make clear distinctions between legitimate and potentially harmful applications. Recommended practices include:
- Limit remote administration tools to a whitelist of applications strictly necessary for business purposes. If Quick Assist is deemed excessive, consider placing it under restriction.
- Maintain vigilant tracking of commonly used remote management tools, monitoring for any unauthorized usage.
Furthermore, enhancing security awareness training is essential in combatting cyber threats, emphasizing the rising instances of IT impersonation occurring via communication platforms. Employees should be informed promptly, equipping them with the knowledge to handle potential incidents appropriately.
Conclusion
VEILDrive intricately combines simplicity and sophistication, demonstrating the skillful amalgamation of classic command and control characteristics alongside innovative OneDrive-based communication methodologies. Through attentive observation, we can glean valuable insights into how this threat actor operates and which services are most susceptible to exploitation.
As it stands, the confluence of OneDrive exploitation and spear-phishing campaigns on platforms like Microsoft Teams is a concerning trend that organizations must remain vigilant against. The implementation of comprehensive hygiene and posture measures will play a critical role in defending against these evolving threats. Ultimately, continued monitoring and proactive threat-hunting measures are strongly advised as these trends will likely persist and likely expand in scope.
For ongoing updates regarding threat-hunting research, activities, and queries, we encourage following Team AXON’s X/Twitter account (@team__axon).
Itimate and potentially malicious external communications. Here are additional best practices to enhance your organization’s security posture:
### Additional Best Practices
1. **Regularly Audit External Communications:**
– Conduct routine audits of external communications to identify any anomalous or unauthorized interactions with external users.
- Use logging and monitoring tools to gain visibility into interactions that take place through Microsoft Teams and related platforms.
2. **Implement Two-Factor Authentication (2FA):**
– Require two-factor authentication for users accessing Microsoft Teams, especially for those with administrative privileges or access to sensitive data. This adds an additional layer of security, making it harder for unauthorized users to gain access.
3. **User Education and Awareness:**
– Conduct training sessions for employees about the risks related to phishing and social engineering attacks, focusing on recognizing suspicious external communications.
– Encourage users to report any unusual activity or messages they might receive, fostering a culture of security awareness.
4. **Review and Update Security Policies:**
– Regularly review and update your organization’s security policies regarding external communications and data sharing.
– Clearly define acceptable use and establish consequences for violating security protocols.
5. **Limit Meeting Invitations:**
– Set policies that allow meeting invites only to verified users from trusted domains, thereby minimizing the risk of unwanted participants joining sensitive discussions.
6. **Endpoint Security:**
– Ensure that all endpoints accessing Microsoft Teams and other corporate resources have up-to-date security measures in place, including antivirus, anti-malware, and encryption.
7. **Integration with Other Security Tools:**
– Leverage security tools that can integrate with Microsoft Teams to provide real-time alerting and analysis of communication patterns that may indicate a threat.
By implementing these measures, organizations can significantly reduce their exposure to external threats, streamline their communication protocols, and enhance their overall security strategy in the digital workspace.
