The Harvester APT group has introduced a new Linux variant of its GoGra backdoor, which is designed to evade detection by using legitimate Microsoft services for its command-and-control (C2) operations. This development marks an expansion of Harvester's capabilities, as the group has previously been associated with Windows-based espionage campaigns. The new Linux malware has been linked to these past activities through code similarities, indicating a strategic move towards cross-platform operations by the threat actor.
The GoGra backdoor leverages the Microsoft Graph API and Outlook mailboxes to establish a covert C2 channel, effectively bypassing traditional perimeter network defenses. This tactic allows the malware to communicate with its operators without raising suspicion. The Symantec and Carbon Black Threat Hunter Team have identified this new Linux malware as part of Harvester's ongoing efforts to enhance its espionage capabilities. Initial submissions to VirusTotal suggest that the primary targets of this campaign are located in India and Afghanistan, with localized decoy documents being used to tailor attacks to specific regional demographics.
Technically, the attackers employ social engineering tactics to gain initial access to victim networks, using decoy documents that appear to be legitimate files. These documents are crafted to look like standard document files by appending extensions such as ".pdf" with a subtle space, ensuring execution as Linux binaries. The malware then deploys a Go dropper to embed and execute a 5.9 MB i386 executable, which writes its payload to a specific directory and ensures persistence through system reboots by setting up a systemd user unit and an XDG autostart entry.
One of the most significant features of this backdoor is its use of hardcoded Azure AD application credentials to request OAuth2 tokens from Microsoft. This allows the malware to poll a specific mailbox folder at regular intervals, filtering for emails with specific subject lines. Upon receiving a command, the malware decrypts the message, executes the payload, and sends the results back to the operator, all while deleting the original tasking message to cover its tracks. This sophisticated use of Microsoft infrastructure highlights the advanced nature of Harvester’s operations.
Security professionals should be vigilant in monitoring for indicators of compromise associated with the GoGra backdoor and ensure that their defenses are updated to detect and mitigate this threat. Organizations in the targeted regions, particularly in South Asia, should be especially cautious and consider implementing additional security measures to protect against potential espionage activities by the Harvester group. For the latest protection updates, consulting resources such as the Symantec Protection Bulletin is recommended.
Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra