Harvester APT Group Widen Cyber Espionage Activities via GoGra Malware on Linux Systems
Harvester APT Group Develops GoGra Malware to Spy on Linux Systems
The Advanced Persistent Threat (APT) group known as Harvester continues to evolve and refine its tactics, techniques, and procedures (TTPs). Recently, researchers have uncovered a new development by the group, which has expanded its operations to target Linux systems in South Asia.
GoGra, a Linux ELF binary, is designed to evade detection and establish a persistent presence on compromised systems. The malware achieves this through social engineering, where attackers distribute emails containing malicious attachments that appear legitimate but are actually executable binaries. The filenames often mimic trusted services or entities, making them difficult to distinguish from genuine documents.
- The attackers create a hidden folder called ~/.config/systemd/user/userservice and install themselves as a regular system monitor called Conky, allowing GoGra to persist across system restarts.
- The unique aspect of this attack is the use of Microsoft services as a covert command-and-control (C2) channel. The malware utilizes the Microsoft Graph API and Outlook mailboxes to communicate with the infected computers, concealing its traffic within legitimate Microsoft services.
- GoGra contains stolen Azure AD credentials, including a tenant ID, client ID, and client secret, which serve as a private authentication key.
- The malware uses these credentials to authenticate with Microsoft’s servers and access the C2 channel. Every two seconds, GoGra sends OData queries to check a specific Outlook folder for emails with the subject line “Input.” These emails contain commands encrypted with AES-CBC, which the malware executes upon receipt.
- After completing tasks, GoGra emails the results back with the subject line “Output” and then deletes the evidence using a DELETE command.
Investigations have revealed that GoGra bears striking resemblance to another backdoor called Graphon, which the Harvester APT group used to attack Windows computers in the past. Both malware variants share similar spelling mistakes in their code, such as “ExcuteCommand” and “error occured,” confirming that the same developers are responsible for creating both tools.
This discovery highlights the evolving nature of APT groups, which continually adapt and improve their TTPs to achieve their objectives. The use of Microsoft services as a C2 channel and the creation of flexible malware like GoGra demonstrate the sophistication and persistence of these threats. As a result, organizations must remain vigilant and implement robust security measures to protect against these advanced threats.
About Author
English