🎯Basically, a new malware for Linux uses Microsoft email tools to hide and deliver harmful commands.
What Happened
A new variant of the GoGra backdoor has emerged, specifically targeting Linux systems. This malware utilizes legitimate Microsoft infrastructure, particularly the Microsoft Graph API, to stealthily deliver payloads. Developed by the Harvester espionage group, this malware is designed to operate under the radar, making it a significant threat.
How It Works
The Linux GoGra backdoor operates by tricking victims into executing ELF binaries disguised as PDF files. Once executed, the malware establishes persistence through systemd and an XDG autostart entry, masquerading as the legitimate Conky system monitor. This clever disguise helps it avoid detection.
The malware uses hardcoded Azure Active Directory (AD) credentials to authenticate with Microsoft's cloud services, allowing it to obtain OAuth2 tokens. With these tokens, it can interact with Outlook mailboxes via the Microsoft Graph API. Specifically, it monitors a mailbox folder named “Zomato Pizza”, checking for emails with subject lines starting with “Input.”
When such an email is found, the malware decrypts its contents and executes the commands locally. After processing, it sends the results back to the attacker via reply emails with the subject “Output.” To further cover its tracks, the malware deletes the original command email after execution.
Who's Being Targeted
The Harvester group, believed to be state-backed, has a history of targeting sectors such as telecommunications, government, and IT organizations in South Asia. The introduction of this Linux variant indicates an expansion of their targeting capabilities, potentially affecting a broader range of systems.
Signs of Infection
Indicators of infection may include:
Unusual processes running
Emails in Outlook
Changes to system
How to Protect Yourself
To safeguard against this malware: The emergence of the Linux variant of GoGra is a clear sign that cyber threats are evolving. Organizations must remain vigilant and proactive in their cybersecurity measures to combat these sophisticated attacks.
Detection
- 1.Ensure that your systems are updated with the latest security patches.
- 2.Monitor email communications for suspicious activity, especially from unknown sources.
Removal
- 3.Implement strict access controls for Azure AD credentials to prevent unauthorized access.
- 4.Use endpoint detection and response (EDR) solutions to identify and mitigate threats.
🔒 Pro insight: The use of Microsoft Graph API for command and control highlights a trend of malware leveraging legitimate services for evasion tactics.
