CP
cyberpings

Harvester APT - Hackers Use Outlook to Hide GoGra Malware

Hackers are using Microsoft Outlook to conceal their GoGra backdoor communications, complicating detection efforts. The Harvester APT group targets South Asia, focusing on espionage. Organizations are urged to enhance their security measures to combat this evolving threat.

Threat IntelHIGHUpdated: Published:
Featured image for Harvester APT - Hackers Use Outlook to Hide GoGra Malware

Original Reporting

CSCyber Security NewsΒ·Tushar Subhra Dutta

AI Summary

CyberPings AIΒ·Reviewed by Rohit Rana

🎯Basically, hackers are using Outlook emails to hide their malicious software communications.

The Threat

The Harvester APT group, linked to nation-state activities, has developed a sophisticated method to hide its malicious communications. By leveraging Microsoft Outlook mailboxes, they make their attacks significantly harder to detect. This group has been active since at least 2021 and has now introduced a Linux version of its notorious GoGra backdoor.

How It Works

The new GoGra backdoor uses the legitimate Microsoft Graph API to communicate through real Outlook mailboxes. This approach allows it to bypass traditional security measures that typically flag suspicious email traffic. The malware operates covertly, polling for commands every two seconds and executing them without raising alarms.

Who's Behind It

The Harvester APT group has a history of espionage activities, particularly in South Asia. Their campaigns often utilize social engineering tactics to lure victims into opening malicious documents disguised as legitimate files. This latest campaign is a clear continuation of their focus on espionage rather than financial gain.

Tactics & Techniques

The malware is delivered through decoy documents that appear harmless but contain malicious Linux ELF binaries. Once executed, the malware sets up persistence mechanisms, ensuring it remains active even after system reboots. It disguises itself as a legitimate application, making detection even more challenging for security teams.

Defensive Measures

Organizations should conduct thorough audits of their Linux systems, specifically checking for unexpected autostart entries and systemd user units. Monitoring OAuth2 token requests and Microsoft Graph API activity is crucial, especially from endpoints that do not typically utilize these services. Additionally, blocking unknown Azure AD application credentials can mitigate risks associated with this type of abuse.

Conclusion

The Harvester APT group’s innovative use of legitimate cloud services for malicious purposes underscores the evolving landscape of cyber threats. Organizations must remain vigilant and adapt their security measures to counter these sophisticated tactics.

πŸ”’ Pro Insight

πŸ”’ Pro insight: The use of legitimate cloud services for C2 communications marks a significant shift in APT tactics, complicating traditional detection methods.

CSCyber Security NewsΒ· Tushar Subhra Dutta
Read Original

Share

Related Pings

Threat Intel
HIGH

China-nexus Covert Networks - Defending Against New Threats

China-nexus cyber actors are leveraging covert networks of compromised devices to launch attacks. Organizations must enhance their defenses to mitigate risks and protect sensitive data.

NCNCSC UK
Read PingRead Source
Preview image for UK Warns of Chinese Hackers Using Proxy Networks to Evade Detection
Threat Intel
HIGH

UK Warns of Chinese Hackers Using Proxy Networks to Evade Detection

The UK warns of a rising threat from Chinese hackers using proxy networks of hijacked devices. This tactic complicates detection and poses serious cybersecurity risks. Organizations must enhance their defenses against these evolving threats.

BCBleepingComputer
Read PingRead Source
Threat Intel
HIGH

China-linked Covert Networks - New Defense Advisory Issued

A new advisory from international cyber agencies reveals tactics used by China-linked actors to hide cyber attacks. Organizations are urged to follow this guidance to protect sensitive data and critical assets.

NCNCSC UK
Read PingRead Source
Threat Intel
HIGH

Defending Against China-Nexus Covert Networks Explained

This advisory details the shift in tactics by China-nexus cyber actors towards covert networks of compromised devices, providing essential defensive strategies for organizations.

NCNCSC UK+1 more
Read PingRead Source
Preview image for Tropic Trooper Attack - Custom Beacon and VS Code Tunnels Exploited
Threat Intel
HIGH

Tropic Trooper Attack - Custom Beacon and VS Code Tunnels Exploited

A new Tropic Trooper cyberattack campaign targets Chinese-speaking individuals using military-themed lures. The attack exploits GitHub for command-and-control, complicating detection efforts. Organizations must enhance their defenses to mitigate these sophisticated tactics.

CSCyber Security News
Read PingRead Source
Preview image for Cyber-Attacks Surge 63% Annually in Education Sector
Threat Intel
HIGH

Cyber-Attacks Surge 63% Annually in Education Sector

Cyber-attacks in the education sector surged by 63% last year, highlighting the growing risks faced by schools and universities. With increasing threats from ransomware and hacktivism, institutions must enhance their security measures. Quorum Cyber's report outlines critical steps to mitigate these risks.

IMInfosecurity Magazine
Read PingRead Source