Graphicalproton

Malware updated 6 months ago (2024-05-04T19:43:19.521Z)
Download STIX
Preview STIX
GraphicalProton is a sophisticated malware developed by the threat group known as SVR, which has been exploiting cloud-based services such as Microsoft OneDrive and Dropbox for Command and Control (C2) infrastructure. The malware uses randomly generated BMPs to exchange data with the SVR operator and has two noteworthy variants: one that leverages DLL hijacking in Zabbix to initiate execution and potentially provide long-term, hard-to-detect access, and another that disguises itself within vcperf, an open-source C++ build analysis tool from Microsoft. GraphicalProton is an evolution of GraphicalNeutrino, another malware variant developed by the same threat group, discovered in January 2023. The SVR recently introduced an HTTPS variant of the GraphicalProton backdoor that relies on HTTP requests instead of using cloud-based services as a C2 channel. This variant's execution is divided into two files: a stager and an encrypted binary file containing further code. The use of HTTPS for C2 communication is a significant shift from the traditional approach, indicating the threat group's adaptability and increasing sophistication. The distribution of GraphicalProton has been facilitated through a vulnerability in Zabbix, allowing it to be disseminated via DLL hijacking of a legitimate Zabbix DLL, similar to the infamous SolarWinds style of attack. This central element of the campaign underscores the malware's stealth and persistence capabilities. As a result, organizations are advised to update their security protocols and systems regularly to mitigate the risk posed by such advanced threats.
Description last updated: 2024-05-04T17:29:06.106Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Phishing
Vulnerability
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bluebravo Threat Actor is associated with Graphicalproton. BlueBravo, a threat actor linked to the Russia-based Advanced Persistent Threat (APT) group APT29, has been identified as a significant cyber threat. Also known by various other names such as SVR Group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, this entity is suspected of conducting sevUnspecified
4