Back

Harvester APT Group Unveils New GoGra Linux Backdoor Using Microsoft Graph API

Severity: High (Score: 75.5)

Sources: Security, Thehackernews, www.broadcom.com, Bleepingcomputer

Summary

The Harvester APT group has launched a Linux variant of its GoGra backdoor, utilizing the Microsoft Graph API and Outlook mailboxes for covert command-and-control operations. This malware is designed to evade traditional defenses and has been linked to prior Windows-based espionage campaigns by the same group. Initial VirusTotal submissions indicate that the primary targets are located in India and Afghanistan, with localized decoy documents suggesting a tailored attack strategy. The malware masquerades as legitimate files, tricking users into executing malicious ELF binaries disguised as PDFs. It employs hardcoded Azure AD credentials to authenticate and poll a specific mailbox folder named 'Zomato Pizza' for commands. The malware's persistence mechanism involves setting up a systemd user unit and an XDG autostart entry, camouflaged as the Conky system monitor. Symantec researchers have noted that the Linux variant shares significant code similarities with its Windows counterpart, indicating a unified development effort. The current status shows that while no victims have been confirmed yet, the potential for targeted attacks remains high. Key Points: • Harvester APT group has developed a Linux version of the GoGra backdoor. • The malware uses Microsoft Graph API for command-and-control, targeting users in India and Afghanistan. • It employs social engineering tactics to disguise malicious ELF files as PDFs for initial access.

Key Entities

  • Harvester (apt_group)
  • Malware (attack_type)
  • Afghanistan (country)
  • India (country)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • Government (industry)
  • Telecommunications (industry)
  • GoGra (malware)
  • GoGra Backdoor (malware)
  • Graphon (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1070 - Indicator Removal (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • BSD (platform)
  • Linux (platform)
  • Windows (platform)
  • Outlook (company)
  • 2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1 (sha256)
  • 57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943 (sha256)
  • 74ac41406ce7a7aa992f68b4b3042f980027526f33ec6c8d84cb26f20495c9dc (sha256)
  • 9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82 (sha256)
  • d8d84eaba9b902045ae4fe044e9761ad0ce9051b85feea3f1cf9c80b59b2b123 (sha256)
  • Microsoft Graph API (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed