GoGra Backdoor

In November 2023, a South Asian media organization was targeted using a newly discovered Go-based backdoor known as GoGra. This malware, written in the Go programming language, leverages the Microsoft Graph API to communicate with a Command-and-Control (C&C) server hosted on Microsoft mail services. So far, the delivery method of GoGra to the target environments remains unknown. Notably, GoGra is designed to read messages from an Outlook account with the username 'FNU LNU,' specifically those with subject lines beginning with 'Input.'

GoGra Shares Similarities with Previously Uncovered Malware

The message contents are decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode by using a specific key. After decryption, the commands are executed via cmd.exe. The results are then encrypted and sent back to the same user with the subject 'Output.' GoGra is believed to be developed by a nation-state hacking group known as Harvester, due to its similarities with a custom .NET implant called Graphon, which also uses the Graph API for Command-and-Control (C&C) functions.

Threat Actors Increasingly Exploit Legitimate Cloud Services

Threat actors are increasingly exploiting legitimate cloud services to remain discreet and avoid the costs associated with dedicated infrastructure.

Prominent examples of this trend include:

• Firefly: A new data exfiltration tool used in a cyber attack against a military organization in Southeast Asia. The harvested data is uploaded to Google Drive using a hard-coded refresh token.
• Grager: A new backdoor was discovered in April 2024, targeting organizations in Taiwan, Hong Kong, and Vietnam. It communicates with a Command-and-Control (C&C) server hosted on Microsoft OneDrive via the Graph API. This activity is tentatively linked to the suspected Chinese threat actor known as UNC5330.
• MoonTag: A backdoor with functionality for interacting with the Graph API attributed to a Chinese-speaking threat actor.
• Onedrivetools: A backdoor used against IT services companies in the U.S. and Europe. It employs the Graph API to communicate with a C&C server on OneDrive, executing commands and saving output to the same platform.

While using cloud services for Command and Control is not a new technique, its adoption among attackers has been increasing recently.

The Dangers of Backdoor Infections

A backdoor malware poses significant dangers to affected organizations or users, including:

• Unauthorized Access: Backdoors provide attackers with hidden access to systems, allowing them to bypass normal authentication mechanisms. This unauthorized access can lead to the compromise of sensitive data and critical systems.
• Data Theft: Attackers can use backdoors to exfiltrate confidential information, including personal data, intellectual property, and financial records. This harvested data can be used for identity theft, corporate espionage, or sold on the dark Web.
• System Control and Manipulation: Once a backdoor is installed, attackers can gain control over affected systems. This control allows them to execute commands, install additional malware, alter system configurations, or manipulate data.
• Network Compromise: Backdoors often facilitate lateral movement within a network. Attackers can use an initial compromise to move laterally across connected systems, potentially affecting entire networks and increasing the scope of their attack.
• Disruption of Operations: Backdoor malware can disrupt normal business operations by causing system failures, deleting or encrypting critical files, or leading to performance issues. This can result in operational downtime and financial losses.
• Espionage and Surveillance: Backdoors can be used for espionage, allowing attackers to monitor and record user activities, communications, and interactions. This surveillance can compromise privacy and lead to the leakage of sensitive information.
• Reputation Damage: The presence of backdoor malware can damage the good name of an organization, leading to loss of customer trust and confidence. This can have long-term effects on business relationships and market position.
• Regulatory and Legal Consequences: Organizations may face legal and regulatory consequences if they cannot protect sensitive data. Data breaches involving backdoor malware can lead to fines, legal actions, and compliance issues.

In summary, backdoor malware presents a multifaceted threat that can compromise security, privacy, and operational integrity, making it essential for organizations and users to employ robust security measures and remain vigilant against potential intrusions.