Introduction

The VEILDrive campaign represents a sophisticated cyber threat that exploits legitimate Microsoft services to conduct spear-phishing attacks and distribute malware, effectively evading traditional detection systems [3]. This campaign, identified by the Israeli cybersecurity firm Hunters, highlights the increasing trend of leveraging trusted platforms for malicious activities.

Description

An ongoing threat campaign known as VEILDrive exploits legitimate Microsoft services [4] [5] [6], including Teams [4] [6], SharePoint [1] [2] [3] [4] [5] [6], Quick Assist [1] [2] [4] [5] [6], and OneDrive [1] [3] [4] [5] [6], to conduct spear-phishing attacks and distribute malware while evading traditional detection systems. Discovered by Israeli cybersecurity company Hunters in September 2024 [4], the campaign is believed to have commenced a month earlier, following a cyber incident involving a critical infrastructure organization in the United States [4] [6], referred to as “Org C.” The attack culminated in the deployment of Java-based malware that utilizes OneDrive for command-and-control (C2) operations [4] [6].

VEILDrive employs a sophisticated approach to cloud-based attacks [2], leveraging multiple Microsoft products to navigate the ATT&CK chain [2]. The threat actor impersonated an IT staff member [4] [6], sending Microsoft Teams messages to employees of Org C to request remote access via Quick Assist [4] [6]. Notably, this initial compromise involved the use of a user account from a previous victim organization, “Org A,” rather than creating a new account [4] [6]. The attacker also utilized infrastructure from another compromised organization, referred to as “Org B,” to share a SharePoint link that led to a ZIP file containing a remote access tool named LiteManager [6], which was hosted on victim SharePoint servers.

The remote access gained through Quick Assist enabled the attacker to create scheduled tasks for executing LiteManager [4] [6]. Additionally, a second ZIP file was downloaded [6], containing a Java archive (JAR) and the Java Development Kit (JDK) necessary for its execution [4] [6]. This malware connects to an adversary-controlled OneDrive account using hard-coded Entra ID credentials [4] [6], employing the Microsoft Graph API to fetch and execute PowerShell commands on the infected system. It also includes a fallback mechanism that establishes an HTTPS socket to a remote Azure virtual machine for command execution [4] [6].

This cloud-centric strategy complicates real-time detection and bypasses conventional defenses [4]. The malware is characterized by its lack of obfuscation and well-structured code [6], making it unusually readable [4] [6]. The use of legitimate file hosting services like SharePoint and OneDrive for evading detection has been noted in recent campaigns [6], highlighting a concerning trend in the exploitation of Microsoft services. Furthermore, the method of exploiting Quick Assist is not new; a previous incident involved the Storm-1811 group misusing the tool to deploy Black Basta ransomware [6], raising alarms about the potential for similar tactics in future attacks.

Conclusion

The VEILDrive campaign underscores the vulnerabilities inherent in trusted platforms, emphasizing the need for enhanced security measures and vigilance. Organizations must adopt robust cybersecurity strategies, including user education and advanced threat detection systems, to mitigate such threats. As cyber attackers continue to exploit legitimate services, the development of innovative defense mechanisms becomes imperative to safeguard critical infrastructure and sensitive data.

References

[1] https://www.techidee.nl/veildrive-attack-maakt-gebruik-van-microsoft-services-om-detectie-te-omzeilen-en-malware-te-verspreiden/16135/
[2] https://www.detectionengineering.net/p/det-eng-weekly-92-2-weeks-2-tangos
[3] https://thenimblenerd.com/article/microsofts-saas-the-new-playground-for-cyber-shenanigans/
[4] https://thehackernews.com/2024/11/veildrive-attack-exploits-microsoft.html
[5] https://cyber.vumetric.com/security-news/2024/11/06/veildrive-attack-exploits-microsoft-services-to-evade-detection-and-distribute-malware/
[6] https://www.ihash.eu/2024/11/veildrive-attack-exploits-microsoft-services-to-evade-detection-and-distribute-malware/