Grager Propose Change

Grager is a backdoor deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of this backdoor revealed that it uses the Graph API to communicate with a command and control (C&C) server hosted on Microsoft OneDrive. The backdoor decrypts a client ID and refresh token for OneDrive from a blob contained within its file body. It supports the following commands:

- Retrieve machine information, including machine name, user, IP address, and machine architecture
- Download or upload a file
- Execute a file
- Gather file system information, including available drives, their sizes, and types of drives

References

There is no Yara-Signature yet.