A nation-state-backed Advanced Persistent Threat (APT) group identified as Harvester has, reportedly, developed a new, malicious backdoor called GoGra to spy on Linux computers across India and Afghanistan.
This group has been active since at least June 2021, and previously attacked Windows computers mainly in South Asia. However, researchers from Symantec and Carbon Black have now reported that Linux systems are on their latest hit list.
According to researchers, the group uses social engineering to trick victims. They send out emails containing malicious attachments named after trusted services or entities. For example, some files were named after Zomato, a popular food delivery app in India, whereas other decoys included umrah.pdf, which refers to religious pilgrimage for Muslims, or TheExternalAffairesMinister. pdf.
How the trick works
The hackers cleverly name a file something like “Zomato Pizza.pdf,” placing a tiny space between the name and the extension, which fools the recipient into thinking it as a simple document, but the computer sees it as a Linux ELF binary program and runs it.
Once the file is opened, a Go dropper shows a fake PDF or document so the user doesn’t get suspicious. When the victim is busy checking the document, GoGra writes files to a hidden folder called ~/.config/systemd/user/userservice, and to stay hidden, it pretends to be a regular system monitor called Conky. This way, every time the computer restarts, GoGra starts running again.
Using Microsoft to hide
Researchers note that what makes this attack stand out is how the hackers communicate with the infected computers. Instead of using their own servers, they hide their traffic inside legitimate Microsoft services, Microsoft Graph API and Outlook mailboxes, which act as their “covert command-and-control (C2) channel,” researchers explained.
The software contains stolen Azure AD credentials, including a tenant ID, a client ID, and a client secret. The client secret acts as a private authentication key, allowing GoGra to prove its identity to Microsoft’s servers so it can log in securely.
Every two seconds, the malware uses OData (Open Data Protocol) queries to check a specific Outlook folder for emails with the subject line “Input.” These emails contain commands hidden with AES-CBC encryption, and once the malware carries out a task, it emails the results back with the subject line Output and then uses a DELETE command to wipe the evidence.
Same hackers, different systems
Further investigation revealed that this Linux version of GoGra is nearly identical to another backdoor called Graphon, which Harvester used to attack Windows computers in the past. This was confirmed by the same spelling mistakes in the computer code for both versions. Typos like “ExcuteCommand” and “error occured” appeared in the malware’s code for both systems.
“Harvester is believed to be a nation-state-backed group that has been active since at least 2021. It is known to use both custom malware and publicly available tools in its attacks. One of its tools is a custom backdoor called Graphon, which has similarities with GoGra and also uses Microsoft infrastructure for its C2 activity,” the blog post reads.
These shared errors helped researchers prove that the same developers are behind both tools. The discovery of this Linux-based malware shows that the Harvester group is working hard to make its spying tools more flexible and harder to detect across different systems.
