Webworm APT Expands Cyber-Espionage to Europe, Leveraging Discord and Microsoft Graph for Covert C2 Communications

Executive Summary

The China-aligned Advanced Persistent Threat (APT) group known as Webworm (also tracked as Space Pirates) has significantly evolved its tactics and expanded its targeting scope from Asia to European government entities. Research from ESET reveals the group is deploying a new arsenal of sophisticated backdoors designed for stealth and persistence. Two notable new malware families, EchoCreep and GraphWorm, abuse legitimate, high-reputation cloud services for command-and-control (C2) communications. EchoCreep uses Discord's API, while GraphWorm leverages the Microsoft Graph API and OneDrive. This living-off-the-trusted-land (LOTL) approach makes their C2 traffic exceptionally difficult to detect, as it blends in with legitimate business communications. The group's primary objective appears to be cyber-espionage, with observed exfiltration of sensitive government documents from targets in Spain, Belgium, Italy, and Poland.

Threat Overview

Webworm is a sophisticated espionage group that continuously refines its toolset to evade detection. Their latest campaign demonstrates a clear focus on stealth and operational security.

• Targeting: The group has expanded its focus to include government organizations in several European nations, as well as targets in South Africa. This marks a strategic shift from their previous focus on Asia.
• New Malware:
  • EchoCreep: A backdoor that uses Discord webhooks for C2. It sends system information to an attacker-controlled Discord channel and receives commands in return. ESET was able to decrypt over 400 of these messages, gaining significant insight.
  • GraphWorm: A more advanced backdoor that abuses the Microsoft Graph API. It uses a compromised Microsoft account's OneDrive as a dead-drop location for tasking and data exfiltration.
• C2 Evasion: By using Discord and the Microsoft Graph API, Webworm's C2 traffic is encrypted by default and directed towards highly trusted domains (discord.com, graph.microsoft.com). This bypasses many network security controls that rely on domain reputation and blacklisting.
• Other Tools: The group also utilizes open-source vulnerability scanners for initial reconnaissance and deploys various proxy tools, including a custom variant of FRP named WormFrp, to tunnel their traffic and further obscure their activities.

Technical Analysis

The attack chain showcases the group's methodical approach:

1. Initial Access: The specific initial access vector is not detailed, but APTs like Webworm typically use spear-phishing (T1566.001 - Spearphishing Attachment) or exploit public-facing applications (T1190 - Exploit Public-Facing Application).
2. Payload Deployment: Once inside, the operators deploy one of their backdoors, either EchoCreep or GraphWorm.
3. C2 Communication (GraphWorm): The GraphWorm backdoor authenticates to the Microsoft Graph API. It checks a specific folder in the associated OneDrive account for a tasking file. It executes the commands in the file, writes the output to a new file, and uploads it back to OneDrive for the operator to retrieve.
4. C2 Communication (EchoCreep): The EchoCreep backdoor sends a POST request to a hardcoded Discord webhook URL. The body of the request contains encrypted, base64-encoded system information. It receives tasks from the same channel.
5. Data Exfiltration: In one documented case, the group exfiltrated files from a Spanish government entity, including a Microsoft Visio diagram of the domain's network infrastructure, using compromised AWS S3 buckets as an exfiltration point.

MITRE ATT&CK Techniques

• T1071.001 - Application Layer Protocol: Web Protocols: The core of the C2, using legitimate web services.
• T1105 - Ingress Tool Transfer: Downloading the backdoors after initial access.
• T1567.002 - Exfiltration to Cloud Storage: Using OneDrive and AWS S3 for data exfiltration.
• T1573.002 - Asymmetric Cryptography: Using standard TLS encryption provided by Discord and Microsoft to hide C2 traffic.
• T1027 - Obfuscated Files or Information: Encrypting the C2 messages sent via Discord.

Impact Assessment

• Espionage: The primary impact is successful cyber-espionage against European government targets. The theft of sensitive documents, such as network diagrams, provides the threat actor with valuable intelligence for planning future operations or understanding the target's capabilities.
• Erosion of Trust in Cloud Services: This campaign further demonstrates how threat actors can turn trusted enterprise cloud services into weapons, making it harder for defenders to distinguish malicious from benign activity.
• Increased Detection Complexity: Security teams must now consider traffic to legitimate services like Discord and Microsoft Graph API as potential C2 channels, significantly increasing the complexity of threat hunting.

IOCs — Directly from Articles

No specific IOCs such as domains, IPs, or file hashes were provided in the summarized articles.

Cyber Observables — Hunting Hints

Security teams should hunt for anomalous use of legitimate services:

Detection & Response

• Detection: Detecting this activity requires a shift from blocking bad domains to baselining normal application behavior.
  • Implement strict egress filtering and monitor for alerts on connections to services like Discord from servers and applications that have no business reason to do so.
  • Use EDR to identify which process is initiating the outbound connection. A process like powershell.exe or a random executable connecting to graph.microsoft.com is a major red flag.
  • Leverage Microsoft 365 audit logs to monitor for suspicious API usage or file access patterns in OneDrive.
• Response: If a Webworm backdoor is found, isolate the host and begin a forensic investigation. Since this is an APT, assume the attacker has moved laterally and conduct a broader hunt across the environment for other compromised systems.

Mitigation

• Egress Filtering: This is the most effective mitigation. Block outbound access to non-essential web services like Discord, paste sites, and personal cloud storage from all corporate assets, especially servers. For services like Microsoft 365, use application-aware firewalls that can enforce tenant restrictions, preventing users from authenticating to non-corporate instances.
• Application Control: Use application control solutions (e.g., AppLocker) to prevent unauthorized executables (the backdoors) from running.
• Endpoint Detection and Response (EDR): A properly configured EDR can detect the malicious processes and their suspicious network connections, allowing for rapid response.
• Principle of Least Privilege: Ensure user and service accounts have the minimum necessary permissions, especially for accessing cloud APIs like Microsoft Graph.