As per recent reports, an unnamed media organization in South Asia had fallen prey to the GoGra backdoor in November 2023. The threat actor behind the South Asia media organization’s cyber attack is believed to be a part of Harvester, a nation-state hacking group.

In this article, we’ll dive into details pertaining to the attack and uncover what has been brought to light thus far. Let’s begin!

GoGra Backdoor Attack Uncovered

When it comes to the attack chain, it’s currently not known how the GoGra backdoor threat actors deliver the payload to the target environments. However, it’s worth mentioning here that GoGra backdoor is specifically configured for reading messages from the Outlook user name “FNU LNU.”

The subject line of these emails starts from the word “Input.” As for its development, the GoGra backdoor has been written in Go and makes use of the Microsoft Graph API which allows it to interact with the command-and-control (C&C) server. The contents of the message are then decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode using a key.

The GoGra Backdoor also uses “cmd.exe” to execute the commands after decryption. The results of the operations are then encrypted and sent to the same user with the subject “Output.” As of now, it is believed that the GoGra backdoor threat actor is linked to a nation-state hacking group called Harvester.

Such assumptions are being made due to attack similarities, which entail a custom .NET implant named Graphon. In addition, the GoGra backdoor also makes use of the Graph API for C&C initiatives that sync up with the malicious practices of Harvester.

Given the recent advancement in cybercrime, threat actors are leveraging legitimate cloud services for their attacks. The use of such services ensures that they stay under the radar and do not have to acquire dedicated infrastructure to carry out the attacks.

Those keen on ensuring protection against online threats must know that some other malware families’ functions based on a similar method include:

• A data exfiltration tool that was developed by Firefly in a cyber attack that targeted a military organization in Southeast Asia.
• Backdoor named Grager was used against three organizations in Taiwan, Hong Kong, and Vietnam.
• The MoonTag backdoor, which contains functionalities for communicating with the Graph API
• Onedrivetools backdoor is used against IT services companies in the United States (US) and Europe.

Given the prevalence and increased complexity of such attack tactics, developing comprehensive security strategies is now essential for risk mitigation and ensuring protection.

Conclusion

The GoGra backdoor attack underscores the evolving sophistication of cyber threats, particularly those linked to nation-state actors like Harvester. By leveraging legitimate tools like Microsoft Graph API, these attackers can evade detection and carry out complex operations.

As such, organizations must adopt advanced security measures to mitigate risks, stay vigilant against similar tactics, and ensure their systems are resilient against emerging threats.

The sources for this piece include articles in The Hacker News and The Network Company.

The post GoGra Backdoor: Unnamed South Asian Media Outlet Targeted appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/gogra-backdoor-unnamed-south-asian-media-outlet-targeted/