(security.com) Harvester APT Group Deploys New GoGra Linux Backdoor Targeting South Asia Using Microsoft Graph API for C2
-
(security.com) Harvester APT Group Deploys New GoGra Linux Backdoor Targeting South Asia Using Microsoft Graph API for C2
New Linux variant of GoGra backdoor attributed to Harvester APT leverages Microsoft Graph API for C2 over Outlook mailboxes, targeting South Asia.
In brief - Harvester APT, a suspected nation-state actor, has deployed a Linux version of its GoGra backdoor. The malware abuses Microsoft Graph API and Outlook for covert C2, using decoy documents tied to Indian and Afghan cultural references. Persistence is achieved via systemd and XDG autostart, with AES-CBC encryption securing communications.
Technically - GoGra Linux is a 5.9 MB i386 ELF delivered via Go dropper, disguised as a PDF. It establishes persistence through a systemd user unit and XDG autostart entry, masquerading as Conky. Hardcoded Azure AD credentials enable OAuth2 token acquisition, polling an Outlook folder ('Zomato Pizza') every 2 seconds. Commands are received via emails with 'Input' subject, decrypted using AES-CBC (key: b14ca5898a4e4133bbce2ea2315a1916), and executed via /bin/bash. Results are encrypted and returned with 'Output' subject, followed by deletion of the tasking email. Shared typos (e.g., 'ExcuteCommand') confirm codebase overlap with Windows variants.
Source: https://www.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra
-
R relay@relay.infosec.exchange shared this topic
