Graphicalproton

GraphicalProton is a sophisticated malware developed by the threat group known as SVR, which has been exploiting cloud-based services such as Microsoft OneDrive and Dropbox for Command and Control (C2) infrastructure. The malware uses randomly generated BMPs to exchange data with the SVR operator and has two noteworthy variants: one that leverages DLL hijacking in Zabbix to initiate execution and potentially provide long-term, hard-to-detect access, and another that disguises itself within vcperf, an open-source C++ build analysis tool from Microsoft. GraphicalProton is an evolution of GraphicalNeutrino, another malware variant developed by the same threat group, discovered in January 2023. The SVR recently introduced an HTTPS variant of the GraphicalProton backdoor that relies on HTTP requests instead of using cloud-based services as a C2 channel. This variant's execution is divided into two files: a stager and an encrypted binary file containing further code. The use of HTTPS for C2 communication is a significant shift from the traditional approach, indicating the threat group's adaptability and increasing sophistication. The distribution of GraphicalProton has been facilitated through a vulnerability in Zabbix, allowing it to be disseminated via DLL hijacking of a legitimate Zabbix DLL, similar to the infamous SolarWinds style of attack. This central element of the campaign underscores the malware's stealth and persistence capabilities. As a result, organizations are advised to update their security protocols and systems regularly to mitigate the risk posed by such advanced threats.