By Hunters Team Axon

TL;DR

Executive Summary

Hunters’ Team AXON has uncovered and is actively monitoring an ongoing threat campaign dubbed "VEILDrive”. Initially discovered during an investigation of malicious activity in a customer's infrastructure, VEILDrive leverages Microsoft’s SaaS suite—particularly Teams, SharePoint, Quick Assist, and OneDrive—to execute its tactics. Uniquely, the threat actor utilizes a OneDrive-based Command & Control (C&C) method embedded within custom malware that is deployed on compromised environments. Our analysis indicates a probable Russian origin for this campaign, and Team AXON has since alerted both Microsoft and impacted organizations to mitigate further exploitation.

Our research began in September 2024 following a response to an attack on a critical infrastructure entity in the United States. VEILDrive’s attack techniques diverge distinctly from typical threat behavior. They heavily rely on Microsoft’s SaaS infrastructure to distribute spear-phishing campaigns and store malicious software. This SaaS-dependent strategy complicates real-time detection and bypasses conventional defenses.

The malware associated with VEILDrive is a Java-based .jar file that notably lacks obfuscation, making it unusually readable and well-structured. Despite its simplicity, the malware evaded detection by a top-tier Endpoint Detection and Response (EDR) tool and all security engines in VirusTotal. This highlights a critical risk: even non-obfuscated, straightforward code can evade modern detection mechanisms, suggesting a broader need to revisit detection strategies in high-risk environments.

This report provides insights into VEILDrive's methodologies and the limitations of current detection approaches to better equip the cybersecurity community against evolving threats.

Background

In September 2024, Team AXON responded to an incident targeting a critical infrastructure company in the United States. This investigation revealed a unique threat campaign, "VEILDrive”, which displayed unusual tactics, techniques, and procedures (TTPs) that deviated significantly from those typically seen in similar incidents.

Based on our findings, we estimate that the VEILDrive campaign began in early August 2024 and remains active as of this report. Leveraging Microsoft SaaS services—including Teams, SharePoint, Quick Assist, and OneDrive—the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware. This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems.

Notably, VEILDrive introduced a novel OneDrive-based Command & Control (C&C) method embedded in Java-based malware deployed on compromised devices. The malware itself, a .jar file, exhibits two striking features:

These characteristics highlight that even without sophisticated evasion techniques, carefully crafted, non-obfuscated malware can evade modern defenses. This investigation underscores a gap in current detection strategies and emphasizes the need for vigilance against less conventional attack approaches.

Team AXON has shared its findings with Microsoft and impacted organizations, offering actionable intelligence to mitigate this ongoing threat.

The VEILDrive Attack Path

In early September 2024, one of Hunters' customers, referred to below as "Org C”, engaged Team AXON for support in handling an active incident. The case centered on a specific device within Org C that had been compromised via social engineering.

A suspiciously created scheduled task on an Org C employee’s device triggered an alert, prompting further investigation. By correlating logs and communicating with the affected user, the team clarified the method of initial access.

Below is an Attack Diagram that provides a high-level overview of the attack flow:

The sequence of events unfolded as follows:

Step 1

The malicious actor leveraged Microsoft Teams to message four selected employees at Org C, who, aside from being non-technical based on their roles, had no other apparent connection. The attacker impersonated an IT team member and requested access to each employee’s device via the Quick Assist remote utility tool.

Rather than using a newly created account for impersonation, the attacker utilized a compromised user account from a potential previous victim, referred to here as "Org A.”

M365 Audit Logs were used to identify the Microsoft Teams spear-phishing.

The above insight was both intriguing and valuable, highlighting the increasing prevalence of phishing through Microsoft Teams and similar communication tools. Distinguishing between successful and failed phishing attempts using M365 audit logs, alongside correlation with EDR logs, can be highly significant for investigations.

The Microsoft Teams messages received by the targeted users of Org C were made possible by Microsoft Teams’ “External Access” functionality, which allows One-on-One communication with any external organization by default.

Step 2

The attacker successfully lured the victim of Org C to execute Microsoft's Quick Assist tool and provided them with the access code via Microsoft Teams. This led to the threat actor's interactive access to the victim’s computer.

Step 3

The threat actor then shared a download link to the SharePoint of a separate organization (the victim belonged to a different tenant than the one used for phishing through Microsoft Teams chat, which we'll refer to as 'Org B'). This link contained a password-protected .zip file named Client_v8.16L.zip, which included various files, among them an additional RMM tool.

The file was downloaded, likely through interactive means, by the attacker—already equipped with remote access—operating under the context of explorer.exe, enabling them to click the link and download tools as needed.

It’s worth mentioning that during the investigation, we correlated M365 audit logs, which provided precise information about the incoming URLs in Microsoft Teams messages, with the EDR telemetry of the victim’s host to fully understand the attacker's TTPs.

Step 4

Multiple attempts were made to carry out manual malicious operations via remote access. These activities primarily involved persistence efforts, such as creating scheduled tasks to repeatedly execute one of the attacker-downloaded files—an RMM tool called LiteManager ("ROMServer.exe").

schtasks /Create /TN "Perfomance monitoring" /SC MINUTE /TR C:\ProgramData\500000003\ROMServer.exe

Step 5

Following the activities above, the actor manually downloads another .zip file named Cliento.zip.

As before, the link was shared in the chat between the victim user and the threat actor. This .zip file included the main .JAR malware as well as the entire Java Development Kit to execute the .JAR malware.

Step 6

The threat actor executed the .JAR malware using the following: C:\\ProgramData\\Cliento\\jdk-22_windows-x64_bin\\jdk-22.0.2\\bin\\javaw.exe -jar C:\\ProgramData\\Cliento\\Cliento.jar

Step 7

Multiple network activities and command executions were identified under the context of the malicious .JAR file, including:

The following screenshot shows the main parts of the process tree related to malicious activities:

Step 8

The attacker also added a malicious JAR binary as a runkey in the registry for persistent execution of the Java malware.

Command line:

Set-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"current\" -Value \"C:\\ProgramData\\Cliento\\jdk-22_windows-x64_bin\\jdk-22.0.2\\bin\\javaw.exe -jar C:\\ProgramData\\Cliento\\Cliento.jar\" -ErrorAction Stop"

The containment and eradication of this incident was very rapid and effective, and according to the forensics evidence we had, there was no indication that the attacker managed to cause any significant damage to the victim host and organization.

One key insight from the attack flow detailed above is that the attacker used different well-known and commonly used Microsoft services as part of his attack, both for hiding in plain sight and potentially also for their convenience.

Let’s quickly summarize the Microsoft services used by the threat actor by now using the following table:

Service

Tenant

Purpose

Microsoft Teams

From Org A to Org C

Spear Phishing Messages to lure the victim to download and execute the remote management tool

Quick Assist

Org C

The threat actor sends a Quick Assist code using a Microsoft Teams message to gain the initial remote control

SharePoint

From Org B to Org C

Malicious files are “hosted” in Org B's SharePoint tenant. Download links are shared with Org C via SharePoint messages and opened by the attacker using Quick Assist

Graph API

From Org C to N/A

We had indications of malicious access to Microsoft Graph (graph[.]microsoft[.]com) initiated by the malicious cliento.jar.

At this stage, we had identified the four Microsoft services/apps mentioned above. While we understood the purpose of the first three, the activity directed toward the Graph API remained unclear. We had several assumptions about its potential purpose, but in incident response, assumptions alone are not sufficient, are they?

To gather more information and better understand the .JAR malware 'Cliento.jar' in OneDrive/SharePoint - both to assess potential actions taken by the attacker and to gain insight into their intentions - we proceeded with a detailed analysis of the malware.

“ODC2” Java Malware - OneDrive as Command & Control

We used a Java Decompiler named “JDGUI” to decompile the Client.jar malware (we named “ODC2”).

Just from the initial high-level look at the malware, we could immediately correlate it with the PowerShell execution we saw in the incident investigation. This is due to the inclusion of the “jPowerShell” Java package - a PowerShell wrapper for Java.

In addition, we could see additional packages like “commands,” “connection,” “launcher,” “or connect,” etc. This provided us with a high-level understanding of the malware structure.

  1. We started with the Main.class under the “launcher“ package and found a set of hard-coded credentials used by the malware. This was a bit surprising for us, but very interesting.

By further analyzing the malware (as described in the detailed analysis below), we found that the malware used these credentials to conduct “on-behalf” authentication to Entra ID. To conduct this authentication, the hard-coded refresh token was used with the client ID and client Secret to request an access token.

The authentication allowed the malware to access the OneDrive of specific Entra ID users, in tenants supposedly owned by the actor, abusing this access for C2 purposes.

  1. In the main function of Main.class we can see the entry point itself, which includes multiple threads. It includes the execution of functions “odThread1” and “mainThread1“.

“odThread1” includes the execution of the Controller “odRun” function that gets the first set of hardcoded credentials (Refresh Token, etc.) for authentication.

HTTPS Socket C2

  1. By digging a bit deeper into the “mainThread1()“  which executes the “ctrl.run()” function, we can see that the run() function tries to create a connection and routinely checks if the connection is alive. It then tries to “parseCommand,” trimming irrelevant parts out of it.

  1. This “run” function uses “connect()” to setup/reset a connection. It creates a socket to the remote IP address we saw above - 40.90.196.228.

  2. This “run” function uses “CommandManager,” which includes different handlings for the different types of commands/capabilities this malware provides, including file transfer from client to server and from server to client, file compression, screenshots, closing network connections, and, of course, command execution.

It checks if the command received is empty or if an actual command was received from the C2 server.

  1. If a command is found, it parses it and executes it. The execution is basically under the context of PowerShell.

    The execution of the incoming command as a PowerShell command is being conducted using the jPowerShell wrapper we mentioned earlier.

OneDrive Command & Control

Before delving into the core of the OneDrive C2 functionality, it's important to note that critical parts of the malware's code rely heavily on three specific 'types' of OneDrive files: UUID, cf_UUID, and rf_UUID. As observed in our investigation, the command Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID was executed, revealing the UUID of the device hardware. This unique identifier serves to distinguish each victim in the VEILDrive campaign.

Each file type plays a distinct role in the malware’s operations. The following screenshot provides examples of these files and their primary roles in malware execution.

Let’s dive into the flow of the OneDrive C2 functionality and how those UUID files are being used in practice:

  1. In addition to the classic Remote Execution capabilities over PowerShell, the “odRun” function is responsible for another thread based on “OneDrive” as a communication channel. This is the unique part of this malware.

    The “odRun” as we see it, is probably named after “OneDrive” (OneDriveRun), and includes the creation of a OneDrive connection using the “Odconnect” function as a first step:

  1. As you can see, first the “machineUUID” string is set as an empty string. Followed by the execution of the “getMachineUUID()” function, which is, as its name suggests, gets the Machine UUID of the victim device:

  1. We can then see that the OneDrive connection is being conducted using the “OdConnect” function—the connection is being made to “login[.]microsoftonline[.]com“ for the creation/update of a set of new access tokens and refresh tokens.

  1. The “WriteFileToOneDrive” function is the next one that is being called, as long as there is no file named as the current victim machine UUID in the target computer, based on a check conducted by the “checkFile“ function.

  1. If there is no such file, the “writeFileToOneDrive()” gets into the game, and creates a file named as the current victim Computer UUID without any prefix.

  1. The next part of “odRun” is the “getFiles()” function that gets the content of the UUID.

OneDrive file that’s named by the machineUUID of the device (without prefixes).

To shortly summarize, this malware seems to have two different C2 channels it can work with:

Microsoft Services/Apps as Attacker's Infrastructure

At this point, it’s clear that this attack skillfully combined simple techniques with sophisticated, unique tactics. One standout feature from our initial investigation was the extensive use of Microsoft infrastructure and services integrated throughout the campaign.

After analyzing the malware and correlating the new information with our investigation insights, we gained a clearer understanding of the attacker’s use of various services and their purposes. We discovered that the utilization of Microsoft services and infrastructure was even more extensive than initially realized.

See the table below for a short summary:

Service

Tenant

Purpose

Microsoft Teams

From Org A to Org C

Spear Phishing Messages to lure the victim to download and execute a remote management tool

Quick Assist

Org C

The threat actor sends a Quick Assist code using a Microsoft Teams message to gain the initial remote control

SharePoint

From Org B to Org C

Malicious files are “hosted” in the SharePoint tenant of Org B. Download links are shared with Org C via SharePoint messages and opened by the attacker using Quick Assist

Azure VM

Attacker’s infrastructure

The malware communicated with an Azure Virtual Machine owned by the threat actor for HTTPS Socket C2 purposes

OneDrive (Graph API)

Between Attacker's OneDrive & Org C host(s)

The threat actor used OneDrive as an additional C2 channel, to get capabilities like remote execution of commands, taking screenshots, downloading/upload files, etc. targeting Org C host(s)

Azure AD App Registration

Between Attacker's OneDrive & Org C host(s

The application was used for authentication on behalf of an Azure AD user account owned by the actor, and access it’s OneDrive home folder

Indicators of Compromise  (IOCS)

Threat Hunting Queries

In addition to the specific IOCs mentioned above, we crafted multiple threat-hunting queries that can be used to detect attacks originated by the same actor, conducted under the same campaign, or sharing similar characteristics (TTPs)

Note: The recommended hunting timeframe for VEILDrive is from July 2024.

HUNTING QUERY 1: Javaw Spawning Powershell with Specific Flags - Unusual Behavior

HUNTING QUERY 2: ROM Tool Persistence via Scheduled Tasks

SET YOUR_ORGANIZATION_NAME = 'hunters';

SELECT EVENT_TIME,
      ORGANIZATION_ID                                          AS ORG_ID,
      OPERATION                                                AS EVENT_TYPE,
      SPLIT_PART(LOWER(SPLIT_PART(USER_ID, '@', 2)), '.', 1)   AS SENDER_ORG_DOMAIN,
      RECORD_SPECIFIC_DETAILS:message_ur_ls                    AS MESSAGE_URLS,
      WORKLOAD                                                 AS WORKLOAD,
      USER_ID                                                  AS USER_ID,
      RECORD_SPECIFIC_DETAILS:chat_thread_id                   AS CHAT_THREAD_ID,
      RECORD_SPECIFIC_DETAILS:communication_type               AS COMMUNICATION_TYPE,
      RECORD_SPECIFIC_DETAILS:members[0].DisplayName           AS MEMBER_DISPLAY_NAME,
      RECORD_SPECIFIC_DETAILS:members[0].UPN                   AS MEMBER_UPN,
      RECORD_SPECIFIC_DETAILS:members[0]                       AS MEMBERS,
      RECORD_SPECIFIC_DETAILS:resource_tenant_id               AS RESOURCE_TENANT_ID,
      RECORD_SPECIFIC_DETAILS
FROM RAW.O365_AUDIT_LOGS
WHERE NOT USER_ID ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%'
 AND (NOT (MESSAGE_URLS ILIKE '%' || SENDER_ORG_DOMAIN || '%') AND MESSAGE_URLS ILIKE '%sharepoint%')
 AND NOT MESSAGE_URLS ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%'
 AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'

HUNTING QUERY 4: Microsoft Teams - Phishing Detection - Multiple DM’s from Non-Common Domains

Hygiene Nuggets

We covered hunting and investigation aspects related to multiple attack techniques used by the actor. Some of those malicious methods and techniques are also known to be used in different campaigns.

Protecting your organization from those threats can significantly reduce the risk of successful attacks targeting different parts of your organizational infrastructure.

Here are a few Hygiene Nuggets that can be used to enhance your security posture:

  1. To reduce the chances of successful phishing attacks through Microsoft Teams, here are a few steps you can take:
    • By default, Microsoft Teams allows “External Access,” which permits one-on-one chats with outside contacts. If this isn’t essential for your organization, consider disabling this option.
    • If external communication is necessary, limit it to trusted domains only.
    • Another way to communicate with external parties in Microsoft Teams is by adding them as guests or members. We strongly recommend restricting this feature, allowing only select, high-privileged users to manage it.
  2. The rise in cyber attacks using remote administration tools calls for clear distinctions between tools used legitimately and those exploited by threat actors. Here are a few recommendations:
    • Limit remote administration tools to specific, approved applications required for business purposes. Quick Assist is easily downloadable from the Microsoft Store; consider blocking its use if it’s not on your organization’s whitelist. You can restrict access by applying measures like AppLocker, Windows Firewall rules, or MDM management.
    • Keep track of commonly used remote management tools and monitor for any unusual or unauthorized third-party tools. For example, if Quick Assist is used and your IT team doesn’t rely on it for remote support, it should trigger an alarm.
  3. Security Awareness Training—It may sound like a cliche, but human errors are consistently one of the main reasons for successful cyber attacks. Security awareness training can make a difference in this regard, protecting you from the next breach.
    • We do recommend making it focused and relevant to the threats seen in the wild. For example, cases of IT impersonation via communication platforms like Microsoft Teams, Slack, or even classic phone calls are on the rise. Please make sure that your employees know how to deal with it.

Conclusion

To stay updated on threat-hunting research, activities, and queries, follow Team Axon’s X/Twitter account (@team__axon).