VEILDrive: Uncovering a New Threat Campaign Leveraging Microsoft SaaS for Cyber Attacks

VEILDrive: Uncovering a New Threat Campaign Leveraging Microsoft SaaS for Cyber Attacks

TL;DR

Hunters’ Team AXON has identified and is currently monitoring an ongoing threat campaign, dubbed “VEILDrive.” This sinister campaign poses a significant risk to organizations that rely on Microsoft’s SaaS suite. The campaign was originally detected as part of an AXON engagement focused on mitigating malicious activities that infiltrated one of our customers’ infrastructures. During the investigation, analysts uncovered additional Microsoft infrastructure components linked to other compromised organizations, indicating a wider network of victims.

The attackers adeptly utilized various Microsoft SaaS services and applications, including Microsoft Teams, SharePoint, Quick Assist, and OneDrive, as crucial elements in their campaign. One particularly alarming tactic involved leveraging a unique OneDrive-based Command & Control (C&C) mechanism integrated into custom-built malware found within the victims’ systems. Preliminary investigations suggest this campaign likely has Russian origins, raising alarms about the potential geopolitical implications of the attacks.

In response to these findings, Team AXON has proactively reported its discoveries to Microsoft, aiming to assist in dismantling the actor’s infrastructure and strategies. Additionally, outreach has been made to multiple victims we’ve identified during our comprehensive research, offering critical insights and guidance to enhance their security postures.

Executive Summary

Hunters’ Team AXON has uncovered and is actively monitoring an ongoing threat campaign dubbed “VEILDrive.” The investigation commenced in September 2024, triggered by a response to an attack on a critical infrastructure entity in the United States. VEILDrive employs Microsoft’s SaaS suite—especially Teams, SharePoint, Quick Assist, and OneDrive—to execute its tactics, diverging significantly from traditional threat patterns. Notably, the threat actor’s innovative use of a OneDrive-based Command & Control (C&C) method embedded in Java-based malware poses a serious risk to affected environments.

The malware associated with VEILDrive is a Java-based .jar file that notably lacks obfuscation, making it uniquely readable and well-structured. Despite this apparent transparency, the malware eluded detection by a top-tier Endpoint Detection and Response (EDR) tool, as well as all security engines in VirusTotal, showcasing a critical vulnerability in existing detection mechanisms. This investigation highlights an urgent need for enhanced detection strategies that are capable of identifying even the most straightforward coding structures in high-risk environments. The report aims to provide valuable insights into VEILDrive’s methodologies, the shortcomings of current detection approaches, and equip the cybersecurity community with the necessary tools to combat these evolving threats.

Background

Beginning in September 2024, Team AXON responded to a significant incident targeting a critical infrastructure company in the United States. This deep dive revealed a unique threat campaign, “VEILDrive,” distinguished by its innovative tactics, techniques, and procedures (TTPs) that markedly differed from conventional attack patterns. Notably, VEILDrive’s malware incorporated a novel OneDrive-based Command & Control (C&C) method systematically integrated into Java-based malware deployed on compromised devices.

The malware, identified as a .jar file, showcased two striking features that set it apart from typical attack code: a lack of obfuscation and structured coding, which often confounds detection systems. Despite its deceptively simple design, it successfully bypassed security protocols, going unnoticed by both the top-tier Endpoint Detection and Response tools in the victim’s environment, as well as all VirusTotal engines. Such statistics emphasize the unpredictability of current detection strategies and underline the necessity for continuous vigilance against less conventional attack methodologies.

Team AXON has diligently reported its findings to Microsoft and other impacted organizations, providing actionable intelligence that can help mitigate this ongoing threat.

The VEILDrive Attack Path

In early September 2024, one of Hunters’ customers, referred to as “Org C,” sought Team AXON’s expertise in navigating an active incident. The case centered around a specific device within Org C that had been compromised through social engineering tactics. An alert was triggered by a suspiciously created scheduled task on one employee’s device, leading to further investigation.

The sequence of events unfolded as follows:

Step 1

  • Multiple “MessageSent” and “ChatCreated” events were identified, all originating from the previously compromised user of Org A, owned by the threat actor.
  • Only one “MemberAdded” event was identified, targeting the compromised user of Org A.
  • This specific “MemberAdded” event occurred through the only account that accepted the threat actor’s access request, which led to the creation of a one-on-one chat.
  • Detailed data from the organization’s EDR telemetry confirmed that the user accepted the request and unwittingly granted the attacker initial access via successful social engineering.

The aforementioned insights not only underscore the increasingly prevalent phishing attempts using Microsoft Teams and similar platforms but also highlight the crucial role of monitoring M365 audit logs and correlating them with EDR logs in investigations.

Step 2

The attacker successfully lured the Org C victim to execute Microsoft’s Quick Assist tool, providing them with an access code via Microsoft Teams, leading to interactive control over the victim’s computer.

Step 3

The attacker sent a malicious URL via Microsoft Teams, directing the victim to Org B’s SharePoint, where malware files awaited to be downloaded.

Step 4

Subsequent attempts were made by the attacker to conduct manual malicious operations via remote access. These targeted persistence efforts included creating scheduled tasks to ensure repeated execution of one of the attacker-downloaded files—a remote management tool named LiteManager.

Step 5

Following these actions, the actor proceeded to manually download another .zip file named Cliento.zip. Links for this download were also shared in chats between the victim and the threat actor, with the .zip file containing the main .JAR malware and the Java Development Kit necessary for execution.

Step 6

Subsequently, the threat actor executed the .JAR malware utilizing a specific command related to the path where the downloaded files were stored.

Step 7

Numerous network activities and command executions associated with the malicious .JAR file were documented, including:

  • Multiple outgoing DNS Requests and network activity linked to safeshift390-my.sharepoint.com, graph.microsoft.com, and login.microsoftonline.com.
  • Execution of local enumeration commands to gather system specs, time information, and USB device enumeration.

Step 8

The attacker established a registry run key for the persistent execution of the Java malware, creating a long-term backdoor into the compromised environment.

Fortunately, the containment and eradication process for this incident was both rapid and effective; forensic evidence indicated no substantial damage occurred to the victim’s host or organization. Significantly, the attack flow illustrated the attacker’s utilization of commonly employed Microsoft services to obfuscate their actions and facilitate easier access.

Below is a summary of the Microsoft services leveraged by the threat actor:

Service Tenant Purpose
Microsoft Teams From Org A to Org C Spear Phishing Messages to lure the victim into executing the remote management tool.
Quick Assist Org C Threat actor sends Quick Assist code via Teams message to gain initial remote control.
SharePoint From Org B to Org C Malicious files hosted in Org B’s SharePoint tenant were shared with Org C.
Graph API From Org C to N/A Indications of malicious access to Microsoft Graph initiated by the malicious Cliento.jar.

At this stage, we identified the four Microsoft services/apps involved in this campaign. Although the intent behind the Graph API usage remained ambiguous, several hypotheses emerged during our ongoing incident response efforts. To gain clarity on the Cliento.jar malware and its workings within OneDrive/SharePoint, we proceeded with a detailed analysis of the malware’s behavior.

“ODC2” Java Malware – OneDrive as Command & Control

The investigation employed a Java Decompiler, “JDGUI,” to examine the Client.jar malware, now referred to as “ODC2.” Initial examinations revealed correlations with observed PowerShell executions from the incident investigation, particularly referencing the included “jPowerShell” Java package—a PowerShell wrapper for Java. Additional packages, such as “commands,” “connection,” “launcher,” and “connect,” provided insights into the malware’s structural design.

Further scrutiny of the Main.class within the “launcher” package exposed hard-coded credentials utilized by the malware, which was particularly alarming. This analysis likely aligns with the earlier indications that the malware conducted “on-behalf” authentications to Entra ID while utilizing the hard-coded refresh token alongside the corresponding client ID and client secret for access permissions across specific OneDrive accounts claimed by the actor.

As the malware executes its functions, the “odRun” method initializes connections to various critical IP addresses, likely indicating the attacker’s infrastructure. One notable IP, associated with Azure, raises questions about its broader implications in connections established through OneDrive.

HTTPS Socket C2

Digging deeper into the malware’s functionality reveals that it routinely establishes and maintains a connection for command execution and data exchange. Utilizing this connection, the malware can receive commands and execute them using the jPowerShell wrapper, indicating a sophisticated level of command and control.

OneDrive Command & Control

Central to this malware’s functionality is its unique use of OneDrive for command and control activities, where critical system identifiers such as UUIDs play pivotal roles in identifying the unique compromised devices. In practice, the malware orchestrates a two-pronged approach for command and control via:

  • HTTPS Socket C2: Traditional command and control through a server located on Azure.
  • OneDrive-based C2: A more novel and complex mechanism whereby commands are relayed and executed based on interactions with designated OneDrive files.

Each method facilitates intricate communication and execution pathways, showcasing the depth of innovation embedded in this threat actor’s approach.

Microsoft Services/Apps as Attacker’s Infrastructure

Upon thorough analysis, it became evident that the VEILDrive attack intricately blended simplistic techniques with innovative tactics. One critical observation from our investigations was the extensive utilization of Microsoft infrastructure and services integrated throughout the campaign. Following a detailed malware analysis, we gained a clearer understanding of the attacker’s exploitation of various services and their specific purposes. Below is an expanded summary:

Service Tenant Purpose
Microsoft Teams From Org A to Org C Spear Phishing Messages aimed at luring users to execute the remote management tool.
Quick Assist Org C Facilitated initial remote control through Quick Assist code exchange via Teams chat.
SharePoint From Org B to Org C Malicious files were hosted and shared via the SharePoint tenant of Org B.
Azure VM Attacker’s infrastructure The malware utilized communication with an Azure Virtual Machine for HTTPS Socket C2 needs.
OneDrive (Graph API) Between Attacker’s OneDrive & Org C host(s) Used for remote command execution and file transfer capabilities targeting Org C hosts.
Azure AD App Registration Between Attacker’s OneDrive & Org C host(s) Application designated for authentication on behalf of Azure AD user accounts owned by the threat actor.

Continued surveillance of these activities and understanding the overarching attack strategies employed is crucial in ensuring robust defenses against future threats.

Indicators of Compromise (IOCs)

Based on analytical findings, several Entra ID tenants and application client IDs utilized by the attacker have been identified:

  • Known Entra ID tenants:
    • C5f077f6-5f7e-41a3-8354-8e31d50ee4d
    • 893e5862-3e08-434b-9067-3289bec85f7d
  • Known application client IDs:
    • B686e964-b479-4ff5-bef6-e360321a9b65
    • 2c73cab1-a8ee-4073-96fd-38245d976882
  • Entra ID tenants linked to the attacker (monitor for DNS requests to these domains):
    • SafeShift390[.]onmicrosoft[.]com
    • GreenGuard036[.]onmicrosoft[.]com
  • File IOCs (SHA256) discovered during the investigation:
    • ROMServer.exe: a515634efa79685970e0930332233aee74ec95aed94271e674445712549dd254
    • HookDrv.dll: 1040aede16d944be8831518c68edb14ccbf255feae3ea200c9401186f62d2cc4
    • ROMFUSClient.exe: 7f61ff9dc6bea9dee11edfbc641550015270b2e8230b6196e3e9e354ff39da0e
    • AledensoftIpcServer.dll: d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
    • ROMwln.dll: 7f33398b98e225f56cd287060beff6773abb92404afc21436b0a20124919fe05
  • Additional IP addresses of interest:
    • 40.90.196[.]221
    • 40.90.196[.]228
    • 38.180.136[.]85
    • 213.87.86[.]192

Hunting Queries

In conjunction with the IOCs highlighted above, we have developed multiple threat-hunting queries designed to detect malicious attacks originating from the same actor or sharing comparable characteristics and TTPs. The recommended time frame for hunting concerning VEILDrive extends back to July 2024.

HUNTING QUERY 1: Javaw Spawning Powershell with Specific Flags – Unusual Behavior

This query aims to uncover suspicious instances where Powershell is spawned by javaw.exe with specific command line flags historically used by the threat actor.

SELECT EVENT_TIME,
       AGENT_ID,
       PARENT_PROCESS_NAME,
       PARENT_PROCESS_COMMANDLINE,
       INITIATING_PROCESS_NAME,
       INITIATING_PROCESS_COMMANDLINE,
       TARGET_PROCESS_NAME,
       TARGET_PROCESS_COMMANDLINE,
       TARGET_PROCESS_OS_PID
  FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS
 WHERE 1=1
   AND PARENT_PROCESS_NAME ILIKE '%javaw%'
   AND INITIATING_PROCESS_NAME ILIKE '%cmd%'
   AND TARGET_PROCESS_NAME ILIKE '%powershell%'
   AND TARGET_PROCESS_COMMANDLINE ILIKE 'powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile %'
   AND EVENT_TIME > current_timestamp - interval '60d'

HUNTING QUERY 2: ROM Tool Persistence via Scheduled Tasks

This query will identify any instances of scheduled tasks linked to the execution of a ROM tool utilized by the actor for persistence.

SELECT EVENT_TIME                   AS EVENT_TIME,
       AID                          AS AGENT_ID,
       CID                          AS COMPUTER_ID,
       EVENT_SIMPLE_NAME            AS EVENT_NAME,
       RAW:TaskName                 AS TASK_NAME,
       RAW:TaskExecCommand          AS TASK_EXEC_COMMAND,
       RAW:TaskAuthor               AS TASK_AUTHOR,
       RAW:UserName                 AS USER_NAME
  --- Adjust according to your EDR of choice
  FROM RAW.CROWDSTRIKE_RAW_EVENTS
 WHERE EVENT_SIMPLE_NAME = 'ScheduledTaskRegistered'
  AND TASK_EXEC_COMMAND ILIKE '%romserver%'
  AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'

HUNTING QUERY 3: Non-Organizational Users Sharing Links to Third-Party Sharepoint Domains via Microsoft Teams

This query aims to uncover instances of SharePoint links shared in Teams chats when the domain of those links is not associated with any chat participants—indicative of potential phishing attempts.

SET YOUR_ORGANIZATION_NAME = 'hunters';

SELECT EVENT_TIME,
      ORGANIZATION_ID                                          AS ORG_ID,
      OPERATION                                                AS EVENT_TYPE,
      SPLIT_PART(LOWER(SPLIT_PART(USER_ID, '@', 2)), '.', 1)   AS SENDER_ORG_DOMAIN,
      RECORD_SPECIFIC_DETAILS:message_ur_ls                    AS MESSAGE_URLS,
      WORKLOAD                                                 AS WORKLOAD,
      USER_ID                                                  AS USER_ID,
      RECORD_SPECIFIC_DETAILS:chat_thread_id                   AS CHAT_THREAD_ID,
      RECORD_SPECIFIC_DETAILS:communication_type               AS COMMUNICATION_TYPE,
      RECORD_SPECIFIC_DETAILS:members[0].DisplayName           AS MEMBER_DISPLAY_NAME,
      RECORD_SPECIFIC_DETAILS:members[0].UPN                   AS MEMBER_UPN,
      RECORD_SPECIFIC_DETAILS:members[0]                       AS MEMBERS,
      RECORD_SPECIFIC_DETAILS:resource_tenant_id               AS RESOURCE_TENANT_ID,
      RECORD_SPECIFIC_DETAILS
FROM RAW.O365_AUDIT_LOGS
WHERE NOT USER_ID ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%'
 AND (NOT (MESSAGE_URLS ILIKE '%' || SENDER_ORG_DOMAIN || '%') AND MESSAGE_URLS ILIKE '%sharepoint%')
 AND NOT MESSAGE_URLS ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%'
 AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'

HUNTING QUERY 4: Microsoft Teams – Phishing Detection – Multiple DM’s from Non-Common Domains

This query detects messages sent in one-on-one chats by external users from non-familiar domains, filtering extensively used domains based on historical data.

SET YOUR_DOMAIN_NAME = 'hunters';

WITH COMMONLY_USED_DOMAINS AS (
   SELECT LOWER(SPLIT_PART(USER_ID , '@', 2))                      AS DOMAIN_COMMONLY_USED,
          MIN(EVENT_TIME)                  AS MIN_EVENT_TIME,
          MAX(EVENT_TIME)                  AS MAX_EVENT_TIME,
          ARRAY_AGG(DISTINCT OPERATION)    AS OPERATIONS,
          COUNT(*)                         AS COUNTER
   FROM RAW.O365_AUDIT_LOGS
   WHERE WORKLOAD IN ('MicrosoftTeams', 'OneDrive')
     AND EVENT_TIME > CURRENT_TIMESTAMP - interval '90d'
     AND USER_ID ILIKE '%@%'
   GROUP BY DOMAIN_COMMONLY_USED
   HAVING COUNTER > 20
),
LATEST_EXTERNAL_DOMAINS AS (
        SELECT USER_ID                                                              AS LATEST_EXT_USERS,
               LOWER(SPLIT_PART(USER_ID , '@', 2))                                  AS USER_DOMAIN,
               MIN(EVENT_TIME)                                                      AS MIN_EVENT_TIME,
               MAX(EVENT_TIME)                                                      AS MAX_EVENT_TIME,
               ARRAY_AGG(DISTINCT OPERATION)                                        AS OPERATIONS,
               ARRAY_AGG(DISTINCT RECORD_SPECIFIC_DETAILS:communication_type)       AS COMMUNICATION_TYPE,
               COUNT(*)                                                             AS COUNTER
        FROM RAW.O365_AUDIT_LOGS
        WHERE EVENT_TIME > CURRENT_TIMESTAMP - interval '50d'
          AND NOT USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%'
          AND NOT USER_ID IN ('app@sharepoint')
          AND USER_ID ILIKE '%@%'
          AND USER_DOMAIN NOT IN (SELECT DISTINCT DOMAIN_COMMONLY_USED FROM COMMONLY_USED_DOMAINS)
          AND OPERATION IN ('MemberAdded', 'ChatCreated')
          AND RECORD_SPECIFIC_DETAILS:communication_type="OneOnOne"
        GROUP BY USER_ID
        HAVING COUNT(*) > 5
    )

SELECT EVENT_TIME,
      ORGANIZATION_ID                                          AS ORG_ID,
      WORKLOAD                                                 AS WORKLOAD,
      OPERATION                                                AS OPERATION,
      USER_ID                                                  AS USER_ID,
      LOWER(SPLIT_PART(USER_ID , '@', 2))                      AS USER_DOMAIN,
      RECORD_SPECIFIC_DETAILS:chat_thread_id                   AS CHAT_THREAD_ID,
      RECORD_SPECIFIC_DETAILS:communication_type               AS COMMUNICATION_TYPE,
      RECORD_SPECIFIC_DETAILS:members[0].DisplayName           AS MEMBER_DISPLAY_NAME_0,
      RECORD_SPECIFIC_DETAILS:members[0].UPN                   AS MEMBER_UPN_0,
      RECORD_SPECIFIC_DETAILS:members[0]                       AS MEMBERS_0,
      RECORD_SPECIFIC_DETAILS:members[1].DisplayName           AS MEMBER_DISPLAY_NAME_2,
      RECORD_SPECIFIC_DETAILS:members[1].UPN                   AS MEMBER_UPN_2,
      RECORD_SPECIFIC_DETAILS:members[1]                       AS MEMBERS_2,
      RECORD_SPECIFIC_DETAILS:resource_tenant_id               AS RESOURCE_TENANT_ID,
      RECORD_SPECIFIC_DETAILS,
      RAW:ClientIP                                             AS CLIENT_IP
FROM RAW.O365_AUDIT_LOGS
WHERE 1=1
 AND RECORD_SPECIFIC_DETAILS:communication_type="OneOnOne"
 AND (
   RECORD_SPECIFIC_DETAILS:members[0].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS)
       OR RECORD_SPECIFIC_DETAILS:members[1].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS)
   )
 AND USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%'
 AND OPERATION = 'MemberAdded'
 AND EVENT_TIME > CURRENT_TIMESTAMP - interval '50d';

The logic behind the above queries depicts the essence of proactive monitoring, aiming to underline potential vulnerabilities posed by evolving threats.

Hygiene Nuggets

To diminish the risk of successful phishing attacks through Microsoft Teams and associated platforms, consider the following strategic actions:

  • By default, Microsoft Teams allows “External Access,” enabling one-on-one chats with external contacts. If this feature is not essential, consider disabling it to minimize risk.
  • In cases where external communication is necessary, enforce strict limitations to only trusted domains.
  • Restrict external participant access to only select, high-privileged users to manage communications effectively.

As cybercriminals increasingly exploit remote administration tools, organizations must make clear distinctions between legitimate and potentially harmful applications. Recommended practices include:

  • Limit remote administration tools to a whitelist of applications strictly necessary for business purposes. If Quick Assist is deemed excessive, consider placing it under restriction.
  • Maintain vigilant tracking of commonly used remote management tools, monitoring for any unauthorized usage.

Furthermore, enhancing security awareness training is essential in combatting cyber threats, emphasizing the rising instances of IT impersonation occurring via communication platforms. Employees should be informed promptly, equipping them with the knowledge to handle potential incidents appropriately.

Conclusion

VEILDrive intricately combines simplicity and sophistication, demonstrating the skillful amalgamation of classic command and control characteristics alongside innovative OneDrive-based communication methodologies. Through attentive observation, we can glean valuable insights into how this threat actor operates and which services are most susceptible to exploitation.

As it stands, the confluence of OneDrive exploitation and spear-phishing campaigns on platforms like Microsoft Teams is a concerning trend that organizations must remain vigilant against. The implementation of comprehensive hygiene and posture measures will play a critical role in defending against these evolving threats. Ultimately, continued monitoring and proactive threat-hunting measures are strongly advised as these trends will likely persist and likely expand in scope.

For ongoing updates regarding threat-hunting research, activities, and queries, we encourage following Team AXON’s X/Twitter account (@team__axon).

Itimate ⁢and potentially malicious ‍external communications. Here are ‌additional best ⁣practices​ to ​enhance your organization’s⁢ security posture:

###⁢ Additional Best ⁣Practices

1. **Regularly Audit External Communications:**

⁤ – Conduct routine audits of external ​communications to identify any anomalous or unauthorized interactions with external users.

​- Use ⁣logging​ and monitoring tools​ to gain visibility into⁤ interactions that take place through Microsoft Teams and related platforms.

2. **Implement Two-Factor Authentication⁢ (2FA):**

– Require two-factor authentication for users accessing Microsoft Teams, especially for those ⁤with administrative privileges or access to sensitive data. This adds an additional layer of security, making it harder for unauthorized users ⁣to gain access.

3. **User Education and Awareness:**

– Conduct training sessions for employees about the‌ risks related to phishing and social engineering attacks, focusing on recognizing suspicious external communications.

⁣ – Encourage users to report any unusual activity⁣ or messages they might receive, fostering a culture of security awareness.

4. **Review and ‍Update Security Policies:**

– Regularly review and update your organization’s security policies regarding ⁢external communications ​and data sharing.

– Clearly define acceptable use and establish consequences for violating security protocols.

5. **Limit Meeting Invitations:**

– Set policies⁤ that allow ​meeting invites only to verified users from ​trusted domains, thereby minimizing the risk of⁣ unwanted participants joining⁣ sensitive discussions.

6. **Endpoint Security:**

⁢ – Ensure that all⁣ endpoints accessing Microsoft Teams and other corporate resources have up-to-date security measures in place, including antivirus, anti-malware, and encryption.

7. **Integration with Other Security Tools:**

‌ – Leverage security⁤ tools that can integrate with Microsoft Teams to provide real-time ‌alerting and analysis of communication patterns that may indicate a threat.

By‌ implementing ⁣these measures, organizations can significantly‍ reduce their exposure to external threats, streamline their communication protocols, and enhance their overall security strategy in the digital ​workspace.

Leave a Replay