Chinese APT UNC5221 Deploys New Malware for M365 Persistence

Overview: Chinese APT UNC5221’s New M365 Persistence Arsenal

A sophisticated Chinese espionage group, tracked as UNC5221 by Mandiant, has been observed deploying a new suite of malware to maintain persistent access within compromised Microsoft 365 environments. This campaign, aimed at intelligence gathering, leverages a known backdoor dubbed Brickstorm, alongside two previously undocumented malware strains named Plenet and AgentPSD. The group’s focus on abusing legitimate M365 functionalities for command and control (C2) operations poses a significant challenge for detection and response efforts.

According to BleepingComputer, UNC5221’s activities underscore a strategic shift towards blending malicious traffic with normal enterprise cloud operations, making their presence difficult to identify through traditional network monitoring. Security professionals must understand these evolving TTPs to effectively defend against this advanced persistent threat (APT).

Technical Analysis of UNC5221’s Malware

UNC5221’s toolkit demonstrates an intent for stealth and persistence, with each component playing a specific role in their intrusion chain within Microsoft 365 environments. The primary objective is to ensure continued unauthorized access for espionage purposes.

Plenet: The Custom C#-based Loader

Plenet serves as a custom C#-based loader, designed to decrypt and execute shellcode payloads. While its precise function in every instance is contextual, Mandiant suggests it acts as a precursor, preparing the compromised system for the deployment of subsequent stages, potentially including AgentPSD or Brickstorm. Its C# implementation hints at a strategy to integrate seamlessly into Windows environments, where .NET applications are common.

AgentPSD: PowerShell Backdoor Leveraging Microsoft Graph API

AgentPSD is a PowerShell-based backdoor that exhibits a critical characteristic: it utilizes the Microsoft Graph API for its C2 communications. By leveraging the Graph API, AgentPSD can masquerade its malicious traffic as legitimate requests to Microsoft 365 services. This technique makes it exceptionally difficult for defenders to differentiate between benign user activity and malicious backdoor operations. The use of PowerShell also grants the attackers flexibility and a file-less execution capability, reducing forensic artifacts on disk.

Brickstorm: C#-based Backdoor with Microsoft Teams API for C2

Brickstorm, a C#-based backdoor, further exemplifies UNC5221’s innovative approach to C2. Unlike AgentPSD which uses the Graph API, Brickstorm communicates with its C2 server by abusing Microsoft Teams APIs. This specific TTP is particularly noteworthy as it exploits an increasingly ubiquitous collaboration platform. Compromising user accounts or applications with Teams access allows Brickstorm to establish covert channels that are often overlooked by conventional security tools, making mitigating Brickstorm backdoor persistent access a complex task.

Impact and Significance for Defenders

This campaign by UNC5221 highlights several critical challenges for organizations relying on Microsoft 365:

• Evasion of Traditional Defenses: The use of legitimate M365 APIs for C2 communications can bypass network-based firewalls and proxies that typically whitelist Microsoft domains. This necessitates deeper inspection of application-layer traffic and behavioral analytics.
• Persistent Access: The deployment of multiple sophisticated backdoors ensures that even if one method is detected and mitigated, the attackers retain other avenues for access.
• Espionage Risk: As an espionage group, UNC5221’s primary goal is likely data exfiltration and long-term intelligence gathering from targeted organizations, which could include government entities, defense contractors, and critical infrastructure.
• Supply Chain Implications: The potential for initial compromise via Supply Chain Attack vectors or other means prior to malware deployment means organizations must secure their entire digital footprint.

Actionable Recommendations and Mitigations

To counter the UNC5221 tactics Microsoft 365 environments face, security teams should prioritize the following actions:

Enhanced Microsoft 365 Security Posture

• Monitor Microsoft 365 Audit Logs: Regularly review Azure AD, Microsoft Graph API, and Microsoft Teams audit logs for unusual activity, specifically focusing on API calls from unfamiliar IP addresses or unusual application permissions. Pay close attention to calls made by service accounts or applications that do not typically interact with these APIs.
• Conditional Access Policies: Enforce strong Conditional Access policies, including multi-factor authentication (MFA) for all users, especially administrators. Limit access to M365 services based on location, device compliance, and risk levels.
• Application Governance: Audit and regularly review all registered applications in Azure AD. Restrict unnecessary application permissions and revoke credentials for unused applications. This helps to reduce the attack surface for abuse of legitimate APIs.

Detecting Plenet and AgentPSD Malware Activity

• Endpoint Detection and Response (EDR): Deploy and configure robust EDR solutions across all endpoints. These tools are crucial for detecting Plenet and AgentPSD malware activity by identifying unusual process execution, PowerShell scripts, and C# assembly loading. Focus on behavioral indicators that might suggest payload decryption and execution.
• Security Information and Event Management (SIEM): Integrate M365 audit logs with a SIEM system for centralized logging, correlation, and alerting. Develop specific rules to detect patterns indicative of Graph API or Teams API abuse for C2, such as high volumes of API calls from a single source or unusual API sequences.
• Threat Hunting: Actively hunt for IoCs and behavioral anomalies in endpoint and cloud environments. Look for C# executables with low reputation, PowerShell scripts obfuscated or executed outside normal parameters, and network connections to unusual domains or IP addresses from within M365 services.

By implementing these proactive measures, organizations can significantly enhance their defensive capabilities against sophisticated nation-state actors like UNC5221 and mitigate the risks associated with their persistent M365 compromise tactics.