The cyber threat group known as Harvester has been linked to a new Linux variant of its GoGra backdoor, reportedly aimed at South Asian entities. Utilizing the legitimate Microsoft Graph API, this malware circumvents traditional network defenses by using Outlook mailboxes as its covert command-and-control channel, according to a report shared by Symantec and Carbon Black Threat Hunter Team.
Targeted Regions and Tactics
Evidence of the malware was found on the VirusTotal platform, with uploads identified from India and Afghanistan, pointing to potential targets of this espionage operation. Harvester’s activities were first documented by Symantec in late 2021, revealing a campaign against telecommunications, government, and IT sectors in South Asia. The campaign employed a custom implant named Graphon, which also leveraged the Microsoft Graph API for command-and-control purposes.
Evolution of Harvester’s Toolset
In August 2024, Harvester’s activities were linked to an attack on a media organization in South Asia, deploying a novel Go-based backdoor known as GoGra. The recent discovery indicates Harvester’s expansion into infecting Linux systems with a new version of the backdoor, alongside its Windows counterpart. The attack strategy involves social engineering techniques that persuade targets to execute ELF binaries masquerading as PDF files, which then deploy the backdoor while displaying a decoy document.
Operational Mechanics and Cover-up
Similar to its Windows variant, the Linux GoGra backdoor exploits Microsoft’s cloud infrastructure, querying a designated Outlook mailbox folder named “Zomato Pizza” every two seconds via OData. It scans for emails with subject lines starting with “Input,” decrypts the Base64-encoded content, and executes the commands using “/bin/bash.” Once executed, results are emailed back with “Output” as the subject line. Post-exfiltration, the malware erases the original tasking message to eliminate traces.
Despite employing diverse operating systems and deployment methods, the core command-and-control logic of the GoGra backdoor remains consistent. Symantec and Carbon Black noted identical hard-coded spelling errors across both platforms, suggesting a single developer is responsible for both versions.
The introduction of a Linux backdoor underscores Harvester’s strategic efforts to broaden its attack arsenal, targeting a wider array of systems and victims. As cybersecurity landscapes evolve, vigilance and adaptive defense mechanisms remain crucial.
