Browser Threats Evolve to Distribute Malware Through OneDrive and Microsoft Teams

Threat researchers published an update to a technique that allows threat actors to evade common security measures by injecting malware through web browsers. Using social engineering techniques, threat actors can execute malicious code using Microsoft OneDrive and Teams applications. The new technique, referred to as browser cache smuggling, is the latest in attacks using web browsers to evade many common security measures, including endpoint detection and response (EDR) solutions.
 

What’s Notable and Unique

• To enhance efficiency, modern browsers cache static files (such as photos and JavaScript), and threat actors take advantage of this by hiding malicious dynamic link library (DLL) files on a website under the guise of harmless content, such as pictures.
• Threat actors then use social engineering to get victims to run a PowerShell command that finds the cached DLL and relocates it to a high-risk directory, like the localappdata directories in OneDrive or Microsoft Teams. The threat actors then use OneDrive and Teams to load and execute the malicious content using a technique called DLL proxying.

 

Analyst Comments

Threat actors have historically injected malicious code through web browsers and, more recently, leveraged social engineering techniques to get users to run malicious PowerShell commands. They then separately used DLL proxying to load malicious content. This newly published technique enables threat actors to combine these two capabilities. The combination enables threat actors to move further through an attack while evading defenses. It is likely that additional ransomware and extortion groups will adopt this new technique to improve the success of their operations.

Threat actors’ increased use of social engineering to get users to execute malicious code demonstrates the importance of limiting user access to scripting engines. General users likely do not need PowerShell, Python, Docker, or similar tools enabled on their desktops. Role-based application control is critical to preventing the effectiveness of this and similar techniques currently used by ransomware groups. To effectively detect the use of the browser cache to enable this new technique, organizations should consider specific EDR detections for any application except a browser accessing the browser cache. At Arete, these types of detections are applied through Arete BloktdSM, our next-generation threat identification and protection service that enhances EDR tools with custom threat detection rules that act autonomously in seconds to proactively identify threats and prevent cyberattacks.