Harvester’s New Linux GoGra Backdoor Exploits Microsoft Graph API in South Asia
A sophisticated cyber espionage campaign has been identified, targeting entities in South Asia through a newly developed Linux variant of the GoGra backdoor. This operation is attributed to the threat actor known as Harvester, which has a history of deploying advanced malware to infiltrate critical sectors.
The GoGra backdoor is engineered to exploit the Microsoft Graph API and Outlook mailboxes, establishing a covert command-and-control (C2) channel. This method allows the malware to circumvent traditional network defenses by blending malicious communications with legitimate traffic. According to a report by the Symantec and Carbon Black Threat Hunter Team, this technique significantly enhances the stealth and persistence of the malware within compromised systems.
Artifacts related to this malware were discovered on the VirusTotal platform, with submissions originating from India and Afghanistan. This suggests that organizations within these countries are primary targets of Harvester’s espionage activities.
Background on Harvester:
First documented by Symantec in late 2021, Harvester has been linked to information-stealing campaigns targeting the telecommunications, government, and information technology sectors in South Asia since June 2021. The group initially utilized a custom implant named Graphon, which also leveraged the Microsoft Graph API for C2 communications.
In August 2024, Harvester was connected to an attack on an unnamed media organization in South Asia, deploying a previously unseen Go-based backdoor called GoGra. The recent findings indicate that Harvester is expanding its toolkit to include Linux systems, demonstrating a strategic evolution in its attack methodologies.
Technical Details of the Linux GoGra Backdoor:
The Linux variant of GoGra employs social engineering tactics to deceive victims into executing ELF binaries disguised as PDF documents. Upon execution, the dropper displays a decoy document while covertly installing the backdoor.
Once active, the backdoor utilizes the Microsoft Graph API to interact with a specific Outlook mailbox folder named Zomato Pizza. It queries this folder every two seconds using Open Data Protocol (OData) queries, searching for emails with subject lines beginning with Input.
When such an email is detected, the backdoor decrypts the Base64-encoded message body and executes the contained commands via /bin/bash. The execution results are then sent back to the attacker in an email with the subject Output. To maintain stealth, the malware deletes the original tasking email after processing.
Despite differences in deployment architectures and operating systems, the core C2 logic of the Linux and Windows versions of GoGra remains consistent. Notably, both variants share identical hard-coded spelling errors, indicating that the same developer is responsible for both tools.
Implications and Recommendations:
The development of a Linux-specific backdoor underscores Harvester’s commitment to broadening its attack surface and enhancing its capabilities to compromise a wider array of targets. Organizations, particularly those in South Asia, should be vigilant and implement robust security measures to detect and mitigate such sophisticated threats.
Security teams are advised to monitor for unusual activities related to the Microsoft Graph API and scrutinize any unexpected communications with Outlook mailboxes. Regular security audits, employee training on recognizing phishing attempts, and the deployment of advanced threat detection systems are essential steps in defending against such evolving cyber threats.
