GoGra: New Go-Based Backdoor Targets South Asian Media
In a concerning development, cybersecurity researchers from Symantec’s Threat Hunter Team have uncovered a new Go-based backdoor named GoGra. This sophisticated malware has been used in a targeted attack against an unnamed media organization in South Asia, raising alarms about the evolving tactics of cybercriminals.
GoGra: A Stealthy Backdoor Leveraging Microsoft’s Ecosystem
GoGra distinguishes itself by exploiting Microsoft’s tools for malicious purposes. The malware communicates with its command-and-control (C2) server using the Microsoft Graph API, a legitimate interface for accessing data within Microsoft cloud services. This clever tactic allows GoGra to blend in with normal traffic, making it harder to detect.
Targeted Attack and Elusive Delivery
While the exact method of GoGra’s initial infiltration remains unknown, its modus operandi within the targeted system has been revealed. The malware is configured to receive encrypted commands from a specific Outlook user, decrypt them using AES-256 in CBC mode, and execute them via “cmd.exe.” The results are then encrypted and sent back to the attacker, creating a closed loop of communication.
The Harvester Connection
Researchers believe GoGra is the work of the notorious hacking group Harvester. This attribution is based on similarities between GoGra and another custom .NET implant called Graphon, also known to be used by Harvester. Both malware strains share the distinctive characteristic of utilizing the Graph API for C2 operations.
A Growing Trend: Legitimate Cloud Services as Hacker Havens
GoGra is not an isolated incident. It exemplifies a growing trend where attackers increasingly leverage legitimate cloud services to camouflage their malicious activities. This tactic not only provides a layer of obfuscation but also eliminates the need for maintaining dedicated C2 infrastructure, making attribution and takedown more challenging.
The Arsenal of Cloud-Based Malware Expands
Several other recently discovered malware families also exploit cloud services for similar purposes:
- Data exfiltration tool: Used in an attack on a Southeast Asian military organization, this tool uploads stolen data to Google Drive using a hardcoded refresh token.
- Grager backdoor: Deployed against organizations in Taiwan, Hong Kong, and Vietnam, Grager uses the Graph API to connect to a C2 server on Microsoft OneDrive. It is linked to the Chinese group UNC5330.
- MoonTag backdoor: Attributed to Chinese-speaking hackers, this backdoor communicates with the Graph API for C2 operations.
- Onedrivetools backdoor: Employed against IT companies in the U.S. and Europe, this backdoor interacts with a C2 server on OneDrive.
The Cat-and-Mouse Game of Cybersecurity
As cybercriminals continue to adapt and innovate, the cybersecurity landscape remains a dynamic battleground. The emergence of GoGra and similar threats highlights the importance of robust security measures and constant vigilance. Organizations must remain proactive in their defense strategies, employing advanced threat detection tools and staying abreast of the latest attack vectors.
The abuse of legitimate cloud services presents a unique challenge, as it blurs the lines between benign and malicious activity. Security professionals must evolve their detection methods to identify subtle anomalies within cloud traffic patterns and investigate suspicious interactions with cloud APIs.
As the fight against cybercrime intensifies, it is clear that both attackers and defenders are in a constant race to outmaneuver each other. By understanding the tactics employed by sophisticated threats like GoGra, organizations can better equip themselves to mitigate risks and protect their valuable data.
