Harvester APT Expands Spying Operations with New GoGra Linux Malware

Summary

Harvester, a nation-state-backed APT group active since 2021, has developed GoGra, a new Linux backdoor targeting systems in India and Afghanistan. The malware uses social engineering with spoofed PDFs and leverages Microsoft Graph API and Outlook mailboxes as covert command-and-control channels, communicating via encrypted emails. Analysis reveals GoGra shares code similarities with Graphon, the group's Windows-based predecessor, confirming the same developers behind both tools.

Full text

Security Cyber Attacks MalwareHarvester APT Expands Spying Operations with New GoGra Linux Malware New GoGra Linux malware linked to Harvester APT targets systems in South Asia, using fake PDFs and Microsoft APIs for covert command and control. byDeeba AhmedApril 23, 20263 minute read A nation-state-backed Advanced Persistent Threat (APT) group identified as Harvester has, reportedly, developed a new, malicious backdoor called GoGra to spy on Linux computers across India and Afghanistan. This group has been active since at least June 2021, and previously attacked Windows computers mainly in South Asia. However, researchers from Symantec and Carbon Black have now reported that Linux systems are on their latest hit list. According to researchers, the group uses social engineering to trick victims. They send out emails containing malicious attachments named after trusted services or entities. For example, some files were named after Zomato, a popular food delivery app in India, whereas other decoys included umrah.pdf, which refers to religious pilgrimage for Muslims, or TheExternalAffairesMinister. pdf. How the trick works The hackers cleverly name a file something like “Zomato Pizza.pdf,” placing a tiny space between the name and the extension, which fools the recipient into thinking it as a simple document, but the computer sees it as a Linux ELF binary program and runs it. Once the file is opened, a Go dropper shows a fake PDF or document so the user doesn’t get suspicious. When the victim is busy checking the document, GoGra writes files to a hidden folder called ~/.config/systemd/user/userservice, and to stay hidden, it pretends to be a regular system monitor called Conky. This way, every time the computer restarts, GoGra starts running again. Using Microsoft to hide Researchers note that what makes this attack stand out is how the hackers communicate with the infected computers. Instead of using their own servers, they hide their traffic inside legitimate Microsoft services, Microsoft Graph API and Outlook mailboxes, which act as their “covert command-and-control (C2) channel,” researchers explained. The software contains stolen Azure AD credentials, including a tenant ID, a client ID, and a client secret. The client secret acts as a private authentication key, allowing GoGra to prove its identity to Microsoft’s servers so it can log in securely. Every two seconds, the malware uses OData (Open Data Protocol) queries to check a specific Outlook folder for emails with the subject line “Input.” These emails contain commands hidden with AES-CBC encryption, and once the malware carries out a task, it emails the results back with the subject line Output and then uses a DELETE command to wipe the evidence. Same hackers, different systems Further investigation revealed that this Linux version of GoGra is nearly identical to another backdoor called Graphon, which Harvester used to attack Windows computers in the past. This was confirmed by the same spelling mistakes in the computer code for both versions. Typos like “ExcuteCommand” and “error occured” appeared in the malware’s code for both systems. “Harvester is believed to be a nation-state-backed group that has been active since at least 2021. It is known to use both custom malware and publicly available tools in its attacks. One of its tools is a custom backdoor called Graphon, which has similarities with GoGra and also uses Microsoft infrastructure for its C2 activity,” the blog post reads. These shared errors helped researchers prove that the same developers are behind both tools. The discovery of this Linux-based malware shows that the Harvester group is working hard to make its spying tools more flexible and harder to detect across different systems. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AfghanistanCarbon BlackCyber AttackCybersecurityGoGraHarvester APTIndiaLinuxMalwareSymantec Leave a Reply Cancel reply View Comments (0) Related Posts Security Leaks Privacy Technology Massive Viacom Data Exposed Through Amazon Web Services Database on Amazon Web Services Containing Sensitive Data of Viacom Is Publicly Available. Amazon Web Services S3 is… byWaqas Read More Hacking News Security Pwn2Own 2024 Awards $700k as Hackers Pwn Tesla, Browsers, and More Pwn2Own is back! byDeeba Ahmed Security Bose & Sonos Smart Speakers can be Hacked to Play Disturbing Sounds Another day, another IoT flaw – Sonos and Bose Smart Speakers Vulnerable to be Hacked Remotely to Play… byWaqas Read More Security Privacy Popular Keyboard Apps Leak User Data: Billion Potentially Exposed Popular keyboard apps leak user data! Citizen Lab reports 8 out of 9 Android IMEs expose keystrokes. Change yours & protect passwords! byWaqas

Indicators of Compromise

• malware — GoGra
• malware — Graphon

Entities