Microsoft representatives reportedthat the Chinese government hacker group Gadolinium (aka APT40 or Leviathan) created and used 18 Azure Active Directory applications to attack Microsoft Azure customers. All discovered applications were removed from the Azure portal in April of this year.
A recent Microsoft report outlines the latest grouping tactics that malicious Azure Active Directory applications were part of. Experts describe these attacks as “extremely difficult to detect” due to the multi-stage infection process and the use of PowerShell payloads.
For example, Gadolinium's attacks began with phishing emails targeted at specific organizations. These messages contained malicious documents (usually PowerPoint files) related to the COVID-19 topic. Users who opened one of these documents became victims of PowerShell-based malware, as well as malicious Azure Active Directory applications.
The mentioned PowerShell malware was used to install one of 18 Azure Active Directory applications on the victim's computers. The role of these apps was to automatically configure the victim's endpoint so that attackers had the rights they needed to steal information and upload it to OneDrive.
Microsoft experts write that by removing these 18 applications, they at least temporarily stopped the attacks of the Chinese group and forced the hackers to rethink and rebuild their infrastructure. Microsoft also said it had previously achieved the deletion of the GitHub account that Gadolinium contributors used in their 2018 malware campaigns. This was unlikely to have a strong effect on APT40 operations, but it still prevented hackers from reusing the same account for different attacks.