Graphicalproton

Malware updated 4 months ago (2024-05-04T19:43:19.521Z)

Download STIX

Preview STIX

GraphicalProton is a sophisticated malware developed by the threat group known as SVR, which has been exploiting cloud-based services such as Microsoft OneDrive and Dropbox for Command and Control (C2) infrastructure. The malware uses randomly generated BMPs to exchange data with the SVR operator and has two noteworthy variants: one that leverages DLL hijacking in Zabbix to initiate execution and potentially provide long-term, hard-to-detect access, and another that disguises itself within vcperf, an open-source C++ build analysis tool from Microsoft. GraphicalProton is an evolution of GraphicalNeutrino, another malware variant developed by the same threat group, discovered in January 2023. The SVR recently introduced an HTTPS variant of the GraphicalProton backdoor that relies on HTTP requests instead of using cloud-based services as a C2 channel. This variant's execution is divided into two files: a stager and an encrypted binary file containing further code. The use of HTTPS for C2 communication is a significant shift from the traditional approach, indicating the threat group's adaptability and increasing sophistication. The distribution of GraphicalProton has been facilitated through a vulnerability in Zabbix, allowing it to be disseminated via DLL hijacking of a legitimate Zabbix DLL, similar to the infamous SolarWinds style of attack. This central element of the campaign underscores the malware's stealth and persistence capabilities. As a result, organizations are advised to update their security protocols and systems regularly to mitigate the risk posed by such advanced threats.

Description last updated: 2024-05-04T17:29:06.106Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Phishing

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Bluebravo	Unspecified	4	BlueBravo, also known as APT29, Nobelium, and various other names, is a threat actor believed to be linked with the Russian government. This group has been implicated in multiple high-profile cyber-espionage incidents, including the 2020 SolarWinds attack and breaches against the Democratic National

Source Document References

Information about the Graphicalproton Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Battling the Exploitation of Cloud Services in Global Conflicts
CERT-EU	9 months ago	The JetBrains TeamCity software supply chain attack: Lessons learned
CISA	9 months ago	Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally \| CISA
CERT-EU	a year ago	In Other News: Data Breach Cost Rises, Russia Targets Diplomats, Tracker Alerts in Android
CERT-EU	a year ago	Cyber Security Week in Review: July 28, 2023
CERT-EU	a year ago	BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities
Recorded Future	a year ago	BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware \| Recorded Future
CERT-EU	a year ago	Microsoft Exposes Russian Hackers' Sneaky Phishing Tactics via Microsoft Teams Chats
BankInfoSecurity	a year ago	European Governments Targeted in Russian Espionage Campaign
CERT-EU	a year ago	Eastern European diplomats targeted by new APT29 phishing campaign
CERT-EU	a year ago	Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor \| IT Security News
Securityaffairs	a year ago	Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor
CERT-EU	a year ago	BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities \| IT Security News