The attacker, known as Harvester, is believed to have originated from a new Linux version of the GoGra backdoor, possibly introduced as part of an attack targeting organizations in South Asia.
“This malware uses the legitimate Microsoft Graph API and Outlook mailboxes as covert command-and-control (C2) channels, allowing it to evade traditional perimeter network defenses,” Symantec and the Carbon Black Threat Hunter team said in a report shared with The Hacker News.
A cybersecurity firm said it had identified artifacts uploaded to Virus Total Platform from India and Afghanistan, suggesting both countries may be targets of espionage operations.
Harvester was first publicly documented by Symantec in late 2021 and was associated with information theft campaigns targeting telecommunications, government, and IT sectors in South Asia since June 2021 using a custom-built implant called Graphon that uses the Microsoft Graph API for C2.
Subsequent activity reported in August 2024 saw the hacker group engage in attacks targeting anonymous media organizations in South Asia using an unprecedented Go-based backdoor called GoGra. The latest findings suggest that attackers continue to expand their toolset beyond Windows, infecting Linux machines with new variants of the same backdoor.
This attack uses social engineering to trick victims into opening an ELF binary disguised as a PDF document. The dropper then begins displaying decoy documents while secretly running the backdoor.
Similar to the Windows version, the Linux version of GoGra exploits Microsoft’s cloud infrastructure and uses Open Data Protocol (OData) queries to access a specific Outlook mailbox folder named “Zomato Pizza” every two seconds. The backdoor scans your inbox for incoming email messages whose subject line begins with the word “Input.”
When it receives an email that matches the criteria, it decrypts the Base64-encoded message body and executes it as a shell command using “/bin/bash”. The execution results are returned to the operator in an e-mail message with the subject “Output.” Once the extraction step is complete, the implant erases the original task message and hides its tracks.
“Despite using different deployment architectures and operating systems, the underlying C2 logic remains unchanged,” Symantec and Carbon Black said, adding that the teams “also identified several matching misspellings that were hard-coded across both platforms, indicating that the same developers are behind both tools.”
“The use of the new Linux backdoor shows that Harvester continues to expand its toolset and is actively developing new tools to go after a broader range of victims and machines.”
Source link
