A nation-state-sponsored Advanced Persistent Threat (APT) group known as Harvester has allegedly developed a new backdoor dubbed GoGra, designed to infiltrate and monitor Linux systems in India and Afghanistan. This group has been active since at least June 2021 and initially targeted Windows platforms primarily across South Asia, but recent research indicates a shift towards Linux environments.
Experts from Symantec and Carbon Black report that Harvester employs social engineering tactics to ensnare victims. The attackers send phishing emails containing malicious attachments disguised as familiar files linked to reputable services. For instance, some of the attachments are cleverly named after popular platforms like Zomato, while others reference significant cultural or religious items, such as umrah.pdf, related to the Islamic pilgrimage, or TheExternalAffairesMinister.pdf.
How the Trick Works
The methodology of the attack is particularly insidious. For example, an email attachment might be labeled as “Zomato Pizza.pdf,” with a subtle space included between the name and the extension. This deception tricks users into perceiving it as a benign document; however, the system identifies it as a Linux ELF binary executable. Upon opening the file, it triggers a Go dropper that presents a façade of a PDF, obscuring its malicious intentions. While the victim is occupied with what appears to be legitimate content, GoGra quietly writes files to a concealed directory: ~/.config/systemd/user/userservice. To further evade detection, it masquerades as a standard system monitoring tool, named Conky, ensuring that it reactivates each time the computer is rebooted.
Using Microsoft to Conceal Operations
This attack is notable for its use of legitimate Microsoft services for command-and-control (C2) operations. Instead of relying on their own infrastructure, the attackers obscure their communications within Microsoft Graph API and Outlook mailboxes. Analysis reveals that the malware utilizes stolen Azure AD credentials, including tenant IDs, client IDs, and client secrets, which serve as authentication tokens to securely connect to Microsoft’s servers.
Every two seconds, the backdoor executes OData (Open Data Protocol) queries to check for emails in a specified Outlook folder. These emails, containing commands encrypted with AES-CBC, are designations marked with the subject “Input.” Upon completing a task, the malware sends a response back under the subject “Output” and deletes all traces of its actions using a DELETE command.
Same Hackers, Different Systems
Further investigation shows that the Linux variant of GoGra shares significant similarities with another backdoor, Graphon, previously employed against Windows targets. The analysis identified similar typographical errors in the coding of both tools, such as “ExcuteCommand” and “error occured,” confirming the link between the two versions. Harvester, believed to be a state-sponsored group, appears to have adapted its methods to enhance the versatility and stealth of its surveillance tools across different operating systems.
The emergence of this Linux-based malware underscores an ongoing trend in cyber threats, marking a strategic expansion by Harvester as they seek to widen their operational reach. Their approach suggests a sophisticated level of planning aimed at evading detection while maintaining persistence on victim systems, closely aligned with the MITRE ATT&CK framework tactics such as Initial Access and Persistence. Business owners must remain vigilant against these evolving threats as the landscape of cybersecurity challenges continues to shift.