GoGra backdoor targets Linux, abuses Microsoft Graph API for stealthy attacks

A new Linux variant of the GoGra backdoor, developed by the espionage group Harvester, is employing legitimate Microsoft infrastructure to deliver payloads stealthily through an Outlook inbox. This sophisticated malware leverages the Microsoft Graph API to access mailbox data, making it highly evasive, as reported by Bleeping Computer.

The Harvester group, believed to be state-sponsored, has been active since at least 2021, targeting telecommunications, government, and IT organizations in South Asia with custom tools. The Linux GoGra backdoor, analyzed by Symantec, is distributed via ELF binaries disguised as PDF files. After gaining initial access, it establishes persistence using systemd and an XDG autostart entry.

The malware then queries a specific Outlook mailbox folder for emails with subject lines starting with "Input." It decrypts the malicious content in the emails, executes commands locally, and sends encrypted results back via reply emails, deleting the original command email to evade detection. The Linux variant shares a near-identical codebase with its Windows counterpart, indicating a single developer and the Harvester group's involvement.

Source: Bleeping Computer