VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware

The article discusses an ongoing cyber threat campaign known as VEILDrive, which leverages legitimate Microsoft services, including Teams, SharePoint, Quick Assist, and OneDrive, to conduct attacks. The Israeli cybersecurity company Hunters identified this campaign in September 204, linked to a cyber incident affecting a critical infrastructure organization (referred to as “Org C”) in the United States. The attack is believed to have started a month earlier and is characterized by its cloud-centric approach, allowing the threat actor to bypass traditional monitoring systems.

Hunters’ report reveals that the attackers sent spoofed Teams messages to four employees of Org C, impersonating an IT team member and soliciting remote access through Quick Assist. Notably, the attacker used a legitimate user account from a previous victim (referred to as “Org A”), rather than creating a new one, which highlights a sophisticated and deceptive infiltration method. Microsoft’s Teams’ “External Access” feature facilitated this interaction, permitting communications across organizations by default.

Following this initial compromise, the attacker shared a SharePoint link to a ZIP archive named “Client_v8.16L.zip,” which was hosted on a different tenant (referred to as “Org B”). This ZIP archive included LiteManager, a remote access tool, among other files. Access through Quick Assist enabled the attacker to establish scheduled tasks on the compromised system to execute the LiteManager RMM software.

Additionally, the threat actor utilized a similar method to download another ZIP file named “Cliento.zip,” which contained a Java archive (JAR) file that executed malware, along with the entire Java Development Kit (JDK). This malware is designed to connect to an adversary-controlled OneDrive account using hard-coded Entra ID credentials, functioning as a command-and-control (C2) mechanism to retrieve and execute PowerShell commands via the Microsoft Graph API.

The malware features a backup mechanism that establishes an HTTPS socket connection to a remote Azure virtual machine for command execution. This incident is not unprecedented; earlier in May, Microsoft reported similar misuse of Quick Assist by a financially motivated group called Storm-1811, which also exploited the program to gain unauthorized access and deploy Black Basta ransomware.

This misuse underscores a troubling trend where legitimate file-sharing services, including SharePoint and OneDrive, are being abused for malicious purposes. Hunters emphasized that this SaaS-dependent strategy complicates real-time detection by circumventing conventional defenses. The malware’s construction is particularly striking; it shows no obfuscation and adheres to a clear coding structure, which defies the usual evasive design seen in malware.

Overall, the VEILDrive campaign illustrates the evolving tactics of cybercriminals who exploit legitimate services to conduct attacks, raising significant concerns regarding the security of SaaS platforms and the necessity for enhanced detection capabilities. The report calls attention to the need for organizations to remain vigilant and proactive in defending against such sophisticated threats.