GoKawiilA Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery.
The malware is developed by Harvester, an espionage group believed to be state-baked, and is considered highly evasive due to its use of Microsoft Graph API to access mailbox data.
Harvester has been active since at least 2021 and is known to use custom malicious tools, such as backdoors and loaders in campaigns targeting telecommunications, government, and IT organizations in South Asia.
Symantec researchers analyzed samples of the new Linux GoGra backdoor retrieved from VirusTotal and found that initial access is obtained by tricking victims into executing ELF binaries disguised as PDF files.
Abusing Microsoft Graph API
In a report today, Symantec researchers say that the Linux version of the GoGra backdoor uses hardcoded Azure Active Directory (AD) credentials to authenticate to Microsoft’s cloud and obtain OAuth2 tokens. This allows it to interact with Outlook mailboxes via the Microsoft Graph API.
In the initial stage of the attack, a Go-based malware dropper deploys an i386 payload, establishing persistence via 'systemd' and an XDG autostart entry posing as the legitimate Conky system monitor for Linux and BSD.
According to the researchers, the malware checks every two seconds an Outlook mailbox folder named “Zomato Pizza.” It uses OData queries to identify incoming emails with subject lines beginning with “Input.”
The malware decrypts the base64-encoded and AES-CBC-encrypted contents of these messages and executes the resulting commands locally.
Execution results are then AES-encrypted and returned to the operator via reply emails with the subject “Output.”
... continue reading