An unnamed media organization in South Asia was targeted in November 20233 using a previously undocumented Go-based backdoor called GoGra.
“GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services,” Symantec, part of Broadcom, said in a report shared with The Hacker News.
It’s currently not clear how it’s delivered to target environments, GoGra is specifically configured to read messages from an Outlook username “FNU LNU” whose subject line starts with the word “Input.”
The message contents are then decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode using a key, following which it executes the commands via cmd.exe.
The results of the operation are then encrypted and sent to the same user with the subject “Output.”
GoGra is said to be the work of a nation-state hacking group known as Harvester owing to its similarities to a custom .NET implant named Graphon that also utilizes the Graph API for C&C purposes.
The development comes as threat actors are increasingly taking advantage of legitimate cloud services to stay low-key and avoid having to purchase dedicated infrastructure.
Some of the other new malware families that have employed the technique are listed below –
“Although leveraging cloud services for command and control is not a new technique, more and more attackers have started to use it recently,” Symantec said, pointing to malware like BLUELIGHT, Graphite, Graphican, and BirdyClient.
“The number of actors now deploying threats that leverage cloud services suggests that espionage actors are clearly studying threats created by other groups and mimicking what they perceive to be successful techniques.”
