Back

Harvester APT Group Unveils New GoGra Linux Backdoor Utilizing Microsoft Graph API

Severity: High (Score: 75.5)

Sources: Security, www.broadcom.com, Bleepingcomputer

Summary

The Harvester APT group has released a new Linux variant of its GoGra backdoor, leveraging the Microsoft Graph API and Outlook mailboxes for command-and-control communications. This malware targets victims primarily in India and Afghanistan, utilizing social engineering tactics to trick users into executing disguised ELF binaries as PDF files. The Linux GoGra backdoor shares code similarities with its Windows counterpart, indicating a coordinated development effort. It employs hardcoded Azure AD credentials to authenticate with Microsoft’s cloud services, allowing it to poll a specific mailbox folder named 'Zomato Pizza' for commands. The malware executes commands received via email and deletes the original command emails to minimize detection. While no victims have been confirmed yet, the tailored approach and regional focus suggest a targeted espionage campaign. Harvester has been active since at least 2021, primarily targeting government and telecommunications sectors in South Asia. Key Points: • Harvester APT group has developed a new Linux variant of the GoGra backdoor. • The malware uses Microsoft Graph API for covert command-and-control communications. • Initial access is gained through social engineering tactics involving disguised ELF binaries.

Key Entities

  • Harvester (apt_group)
  • Malware (attack_type)
  • Afghanistan (country)
  • India (country)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • Government (industry)
  • Telecommunications (industry)
  • GoGra (malware)
  • Graphon (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1070 - Indicator Removal (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1140 - Deobfuscate/Decode Files Or Information (mitre_attack)
  • BSD (platform)
  • Linux (platform)
  • Windows (platform)
  • Outlook (company)
  • 2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1 (sha256)
  • 57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943 (sha256)
  • 74ac41406ce7a7aa992f68b4b3042f980027526f33ec6c8d84cb26f20495c9dc (sha256)
  • 9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82 (sha256)
  • d8d84eaba9b902045ae4fe044e9761ad0ce9051b85feea3f1cf9c80b59b2b123 (sha256)
  • Microsoft Graph API (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed