www.it-connect.fr
GoGra: Linux Malware Controlled via Microsoft Graph and Outlook
A new Linux variant of the GoGra backdoor has been identified by Symantec researchers. Its twist? It relies on the Microsoft Graph API to retrieve payloads to execute from an Outlook inbox. Here’s what we know about this threat.
Harvester Adapts Its Arsenal to Target Linux
Looking for a link between Linux machines and Microsoft’s infrastructure? Here it is: GoGra, a piece of malware developed by the Harvester group. Active since at least 2021, this group has a habit of using custom malware (such as loaders and backdoors) in campaigns targeting the telecommunications, government, and IT sectors, especially in South Asia.
By analyzing GoGra malware samples obtained from VirusTotal, Symantec security researchers made a discovery. This malware adapted for Linux (a malicious ELF binary) communicates with Microsoft’s infrastructure via the Graph API to receive commands from the attackers.
"Symantec and Carbon Black’s Threat Hunter Team established a link between this new Linux malware and a previously known Windows espionage campaign conducted by Harvester, due to code-level similarities, demonstrating that the threat actor is actively expanding its cross-platform capabilities.", says the Symantec report.
Microsoft Graph API Abused by Cybercriminals
According to Symantec’s analysis, the malware includes hard-coded Microsoft Entra ID (Azure AD) credentials. This allows it to establish a connection to Microsoft’s legitimate infrastructure and obtain OAuth2 tokens, which it then uses to access an Outlook mailbox through the Microsoft Graph API.
This technique used by the Harvester group helps evade detection since the connections are made to Microsoft-associated addresses. The workflow is as follows:
- Every two seconds, GoGra checks an Outlook inbox folder named "Zomato Pizza".
- It looks for any email whose subject starts with the word "Input".
- If a matching email is found, it retrieves the instructions and decrypts them locally, since they are encoded in base64 and encrypted with AES-CBC.
- The results encrypted by the malware are then sent back to Outlook in a message whose subject contains "Output".
- The "Input" email used as the command message is deleted at the end of the operation to avoid leaving traces.
Finally, note that the initial infection of the machines is carried out through a phishing campaign. Symantec mentions the use of a malicious ELF binary distributed as a PDF document. The report also cites the name of a ZIP archive associated with the distribution of this malware: TheExternalAffairesMinister.zip.
