GoGra Linux Backdoor Hides C2 in Outlook Mailboxes
Key Takeaways The Harvester APT group, a nation-state-linked threat actor, has developed a new Linux variant of its GoGra backdoor. This sophisticated malware uses legitimate Microsoft Outlook...
Key Takeaways
- The Harvester APT group, a nation-state-linked threat actor, has developed a new Linux variant of its GoGra backdoor.
- This sophisticated malware uses legitimate Microsoft Outlook mailboxes and the Microsoft Graph API for covert command-and-control (C2) communications, making detection difficult.
- The campaign primarily targets entities in South Asia, including India and Afghanistan, focusing on espionage.
- Initial access is gained through social engineering, with victims opening malicious Linux ELF binaries disguised as legitimate documents.
Nation-State APT Harvester Unveils New Linux GoGra Backdoor Hiding C2 in Outlook
A sophisticated nation-state-sponsored hacking collective known as Harvester is actively deploying a novel Linux version of its GoGra backdoor, employing a highly evasive technique that leverages legitimate Microsoft Outlook mailboxes for command-and-control (C2) operations. This approach significantly complicates detection by conventional security measures.
Table Of Content
The Harvester APT, believed to be state-backed and operational since at least 2021, has expanded its toolkit with this new Linux variant. The updated malware weaponizes the standard Microsoft Graph API and authentic Outlook mailboxes to establish a clandestine C2 channel. By routing its communications through trusted Microsoft cloud infrastructure, the backdoor effectively circumvents traditional perimeter network defenses, which are typically unprepared to flag seemingly legitimate email traffic as malicious.
Analysts at Symantec and Carbon Black were instrumental in identifying this new Linux malware, confirming it as an evolution of Harvester’s existing Windows espionage campaigns. Researchers noted significant code overlap between the new Linux version and its Windows predecessor, underscoring the group’s concerted effort to broaden its cross-platform attack capabilities. This development signals Harvester’s ongoing evolution and commitment to expanding its operational scope across a wider array of operating systems and devices.
Targeting and Initial Access
The current campaign appears to be geared toward espionage rather than financial motives. Initial submissions of the malware samples to VirusTotal originated from India and Afghanistan, indicating a continued focus on organizations and individuals within South Asia. The attackers further employed localized decoy documents, featuring cultural names and services relevant to the region, highlighting a deliberate and highly tailored targeting strategy consistent with Harvester’s historical espionage activities in South Asia.
Harvester gains initial access through social engineering tactics. Victims are lured into opening malicious Linux ELF binaries disguised as innocuous documents, such as “TheExternalAffairesMinister. pdf” and “Details Format. pdf.” Upon execution, the infection process commences silently in the background, with the malware establishing persistence mechanisms to ensure its survival across system reboots.
How the Backdoor Abuses Microsoft Infrastructure
The most technically innovative aspect of this backdoor lies in its transformation of legitimate Microsoft cloud services into a surreptitious communication pathway. Following the initial compromise, a Go dropper deploys an approximately 5.9 MB i386 executable payload to the path “~/.config/systemd/user/userservice.” To maintain persistence across system restarts, the malware configures a systemd user unit and an XDG autostart entry, masquerading as the legitimate “Conky” Linux system monitor.
The embedded payload contains hardcoded Azure AD application credentials, including a tenant ID, client ID, and client secret, stored in plain text. These credentials enable the malware to directly request OAuth2 tokens from Microsoft, initiating communications through a genuine Outlook mailbox folder named “Zomato Pizza.” The backdoor then polls this folder for new instructions every two seconds.
When an attacker issues a command, the malware retrieves incoming emails with subjects beginning with “Input.” It then decrypts the AES-CBC encrypted, base64-encoded message body and executes the command on the compromised host using /bin/bash. The results are encrypted with the same AES key and transmitted back to the attacker via an email reply with the subject “Output.” After sending the results, the implant performs an HTTP DELETE request to erase the original command email, thereby minimizing traces of the exchange.
What You Should Do
- Audit Linux Systems: Regularly inspect autostart entries and systemd user units on Linux systems for any unexpected or unknown services, particularly those mimicking legitimate tools like Conky.
- Monitor OAuth2 and Graph API Activity: Security teams should diligently monitor OAuth2 token requests and Microsoft Graph API activity originating from endpoints that do not typically utilize these services.
- Restrict Azure AD Credentials: Block or restrict Azure AD application credentials that are not recognized or authorized by your organization to mitigate the risk of this type of abuse.
- Threat Hunt for Malicious Binaries: Actively search for ELF binaries with fake appended extensions in user directories, as well as any suspicious files written to “~/.config/systemd/user/” paths by non-standard processes.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.