Unlocking Microsoft Graph API with GoGra and Trojan.Grager
When it comes to cyber threats, the use of sophisticated malware implants is on the rise. Meet GoGra and Trojan.Grager, two APT malware implants that leverage the power of Microsoft Graph API to infiltrate systems and carry out malicious activities.
Let’s start with GoGra, a stealthy backdoor that gains access to the Outlook mail service using OAuth access tokens under the username FNU LNU. This backdoor is designed to scan Outlook mailboxes for messages with the word “Input” in the subject line. These messages contain encrypted instructions, which GoGra decrypts using a hardcoded AES-256 key. Once decoded, GoGra executes commands through the cmd.exe input stream, including the handy ‘cd’ command to change directories. The output of these commands is encrypted and sent back to the sender with the subject line “Output.”
On the other hand, Trojan.Grager takes a different approach by targeting organizations in Taiwan, Hong Kong, and Vietnam. This malware implant is distributed through a trojanized installer for the popular 7-Zip archive manager. Unlike GoGra, Trojan.Grager uses Microsoft OneDrive for its command and control (C2) purposes. This allows the backdoor to seamlessly download, upload, and execute files while collecting valuable system and machine information.
Both of these APT malware implants highlight the growing sophistication of cyber threats and the importance of staying vigilant against such attacks. By understanding how these implants operate and leveraging the latest cybersecurity tools and practices, organizations can better protect themselves against such threats.