A previously undocumented state-backed threat actor is leveraging legitimate enterprise SaaS platforms to hide its command-and-control traffic. This strategy allows the actor to bypass traditional network-layer detection by blending in with authorized corporate communication flows.
The actor, identified as GopherWhisper, uses a Go-based custom toolkit to infect target systems. The malware utilizes @[Microsoft](urn:li:organization:1035) 365 Outlook, Slack, and Discord as dead-drop resolvers or direct C2 channels. By communicating through verified Microsoft Graph API endpoints, the malware avoids triggering alerts for unauthorized external connections, making it exceptionally difficult for security teams to identify.
The abuse of trusted SaaS providers for C2 is a strategic evolution in stealth. When an attacker “lives off the cloud,” the perimeter-based detection model fails because the malicious traffic is indistinguishable from the legitimate collaboration tools that employees use every day.
– Implement strict OAuth application monitoring to identify unauthorized SaaS applications or API integrations.
– Utilize SSL inspection and deep packet inspection to analyze traffic patterns within encrypted SaaS tunnels.
– Monitor for anomalous API token usage and sign-ins from non-standard geographic locations or IP blocks.
– Enforce strict egress filtering that restricts API communication to only the specific tenants and services authorized by the organization.
Defending against SaaS-based C2 requires shifting from destination-based filtering to behavioral and identity-based traffic analysis. #CodeDefence #APT #Stealth #SaaS #ThreatIntelligence
/
