South Asia Cyberattack Leveraged by Using GoGra Backdoor Threat

A recent cyberattack on an unnamed media organization in South Asia highlights the increasing trend among threat actors to leverage legitimate cloud services for their malicious activities. The attack, which occurred in November 2023, involved a newly discovered Go-based backdoor named GoGra, believed to be the work of a nation-state hacking group known as Harvester.

GoGra distinguishes itself by utilizing the Microsoft Graph API to communicate with a command-and-control (C&C) server hosted on Microsoft mail services. This technique allows the malware to remain under the radar, blending in with normal traffic and making it difficult to detect.

How GoGra Operates

The GoGra backdoor is designed to interact with a specific Outlook username, "FNU LNU," and processes emails with the subject line beginning with "Input." Upon receiving such a message, GoGra decrypts the content using the AES-256 algorithm in Cipher Block Chaining (CBC) mode. The decrypted instructions are then executed via cmd.exe, a command-line interpreter on Windows. The results of these commands are encrypted and sent back to the same user with a subject line that starts with "Output."

The Broader Trend of Cloud Service Exploitation

The GoGra incident is not an isolated case. It represents a broader trend where cyber attackers are increasingly exploiting legitimate cloud services for their operations. This approach offers several advantages to threat actors, including the ability to evade detection by blending in with regular network traffic and avoiding the need to invest in dedicated infrastructure.

Some other notable examples include:

• Firefly's Data Exfiltration Tool: Used in a cyberattack against a military organization in Southeast Asia, this tool uploads stolen data to Google Drive using a hard-coded refresh token.
• Grager Backdoor: Deployed against organizations in Taiwan, Hong Kong, and Vietnam, Grager uses the Microsoft Graph API to communicate with a C&C server hosted on Microsoft OneDrive. This activity has been linked to a suspected Chinese threat actor, UNC5330.
• MoonTag: Another backdoor that communicates with the Graph API and is attributed to a Chinese-speaking threat actor.
• Onedrivetools: This malware targets IT services companies in the U.S. and Europe, using OneDrive for its C&C communications.

The Implications

The growing use of cloud services for command-and-control operations indicates a shift in tactics among cyber espionage groups. By leveraging platforms like Microsoft 365 and Google Drive, attackers can exploit the trust and legitimacy associated with these services to carry out their malicious activities. The fact that more and more actors are adopting these techniques suggests a growing trend where espionage actors are closely studying and mimicking successful methods used by other groups.

Conclusion

The emergence of GoGra and similar malware families underscores the evolving nature of cyber threats. As attackers continue to find new ways to exploit cloud services, organizations must remain vigilant and adopt advanced threat detection and response strategies. Understanding these trends and the techniques employed by threat actors is crucial for staying one step ahead in the ongoing battle against cyber espionage.