The new backdoor uses Outlook and OneDrive to mask its activity.
In November 2023, an unnamed media organization in South Asia was attacked using previously unknown malicious software called GoGra. According to a report from Symantec, GoGra is written in Go and uses the Microsoft Graph API to interact with a command and control server (C2) hosted on Microsoft email services.
The method of delivery of GoGra to target systems is still unknown, but it is known for certain that in the malware campaign under review, GoGra was configured to read messages from an Outlook user named "FNU LNU" that had a subject starting with the word "Input". The contents of the messages were then decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode, after which malicious commands were executed via "cmd.exe". The results of the operation were also encrypted and sent to the same user, but with the subject "Output".
GoGra is believed to be developed by a group of hackers known as Harvester, due to its similarity to custom .With the Graphon NET implant, which also uses the Graph API for C2 operations, this situation highlights the increasing tendency of attackers to use legitimate cloud services to disguise their activities and avoid the need to purchase specialized infrastructure.
Other new malware families that use similar techniques include:
Symantec notes that the use of cloud services for command and control servers is not a new technique, but an increasing number of attackers have recently started using it. Malware such as BLUELIGHT, Graphite, Graphican, and BirdyClient are prime examples of this. Such hype may indicate that cybercrime groups often spy on each other's successful techniques and integrate them into their work processes to improve efficiency.
Source
In November 2023, an unnamed media organization in South Asia was attacked using previously unknown malicious software called GoGra. According to a report from Symantec, GoGra is written in Go and uses the Microsoft Graph API to interact with a command and control server (C2) hosted on Microsoft email services.
The method of delivery of GoGra to target systems is still unknown, but it is known for certain that in the malware campaign under review, GoGra was configured to read messages from an Outlook user named "FNU LNU" that had a subject starting with the word "Input". The contents of the messages were then decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode, after which malicious commands were executed via "cmd.exe". The results of the operation were also encrypted and sent to the same user, but with the subject "Output".
GoGra is believed to be developed by a group of hackers known as Harvester, due to its similarity to custom .With the Graphon NET implant, which also uses the Graph API for C2 operations, this situation highlights the increasing tendency of attackers to use legitimate cloud services to disguise their activities and avoid the need to purchase specialized infrastructure.
Other new malware families that use similar techniques include:
- A data exfiltration tool used in a cyberattack on a military organization in Southeast Asia. The collected information is uploaded to Google Drive using a hard-coded update token.
- A new backdoor called Grager was used against three organizations in Taiwan, Hong Kong and Vietnam in April this year. It uses the Graph API to connect to a C2 server hosted on Microsoft OneDrive. Grager also has ties to the Chinese group UNC5330.
- The MoonTag backdoor, which has functionality for communicating with the Graph API and is attributed to Chinese-speaking hackers.
- Onedrivetools backdoor used against IT companies in the US and Europe. It communicates with the C2 server on OneDrive to execute commands and save results.
Symantec notes that the use of cloud services for command and control servers is not a new technique, but an increasing number of attackers have recently started using it. Malware such as BLUELIGHT, Graphite, Graphican, and BirdyClient are prime examples of this. Such hype may indicate that cybercrime groups often spy on each other's successful techniques and integrate them into their work processes to improve efficiency.
Source
