GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure
Overview:
GraphWorm is a sophisticated malware variant that leverages Microsoft OneDrive for command and control (C2) infrastructure. This approach allows attackers to maintain persistence, exfiltrate data, and deliver payloads with relative ease due to the widespread use of OneDrive in corporate environments.
Key Features:
- Persistence Mechanism: GraphWorm employs a sophisticated persistence mechanism that involves creating scheduled tasks and registry entries.
- Data Exfiltration: The malware uses Microsoft OneDrive for storing and retrieving configuration files, as well as exfiltrating sensitive data from compromised systems.
- Payload Delivery: Attackers can use the C2 infrastructure to deliver additional payloads or update existing malware components.
Malware Components:
GraphWorm includes several key components that work together to achieve its objectives:
- SearchApp.exe (Win/Agent.KBuf): This component is responsible for establishing initial persistence and setting up communication channels with the C2 server.
- ssh.exe (Win/Hack Tool/Proxy.WQ): Used as a proxy tool to relay commands and data between the compromised system and the attacker's infrastructure.
- **svc.exe
Read the full article at Cyber Security News
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
2
Tags
Contents
Ali NematiWritten by Ali
