Graphshell

Malware updated 7 months ago (2024-05-04T20:37:24.198Z)

Download STIX

Preview STIX

GraphShell is a malicious software (malware) that has been used in cyber-attacks to exploit and damage computer systems. It was first reported in March 2023 by the cybersecurity firm Bad Magic, which documented its use in attacks targeting Russian-occupied territories of Ukraine. The malware, also known as DBoxShell or PowerMagic, is part of a modular framework called CommonMagic, and it can infiltrate systems through suspicious downloads, emails, or websites. Once inside a system, GraphShell has the capability to steal personal information, disrupt operations, or even hold data for ransom. The reconnaissance phase of GraphShell begins immediately after it is executed, allowing it to quickly start gathering information about the infected system. This makes it highly effective at achieving its destructive goals. In the fifth operation conducted by Bad Magic, they notably switched from using DBoxShell to GraphShell. This alternative malware is named for its use of the Microsoft Graph API, a tool used for building applications that access Microsoft cloud services. The use of GraphShell marks a significant evolution in the tactics of the Bad Magic group. By exploiting the Microsoft Graph API, this malware can leverage Microsoft's cloud services for command and control (C&C) purposes. This allows the attackers to remotely control infected systems, further increasing the potential harm they can cause. As such, the emergence of GraphShell represents a significant escalation in the cyber threat landscape.

Description last updated: 2023-10-10T20:16:38.163Z

What's your take? (Question 1 of 0)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Dboxshell is a possible alias for Graphshell. DboxShell is a type of malware that uses cloud storage services as a command and control (C&C) mechanism. It is also known as PowerMagic by Kaspersky. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can dis	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Graphshell Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	2 years ago	Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020
CERT-EU	a year ago	A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU	2 years ago	Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU	2 years ago	New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe