An unnamed media organization in South Asia fell victim to a cyber attack in November 20233, orchestrated using a previously unknown Go-based backdoor known as GoGra.
According to a report by Symantec, GoGra, written in Go, relies on the Microsoft Graph API to communicate with a command-and-control (C&C) server hosted on Microsoft mail services.
While the delivery method of GoGra remains unclear, it has been configured to intercept messages from an Outlook username “FNU LNU,” with specific subject criteria for execution.
The backdoor decrypts message contents using AES-256 algorithm and executes commands via cmd.exe, encrypting and sending results back to the sender disguised as “Output.”
Attributed to a nation-state hacking group named Harvester, GoGra bears similarities to a custom .NET implant called Graphon utilizing the Graph API for C&C operations.
The rise of threat actors exploiting legitimate cloud services to evade detection is evident in recent cyber attacks. Here are a few noteworthy malware instances employing similar tactics:
- Firefly deployed an unidentified data exfiltration tool in an attack targeting a military entity in Southeast Asia. The stolen data is uploaded to Google Drive using hardcoded tokens.
- Grager backdoor was used against organizations in Taiwan, Hong Kong, and Vietnam, communicating via Graph API with a C&C server on Microsoft OneDrive, linked to a suspected Chinese threat actor dubbed UNC5330.
- MoonTag and Onedrivetools backdoors, attributed to Chinese-speaking threat actors, utilize the Graph API to communicate with C&C servers hosted on cloud platforms for malicious activities.
Symantec emphasized the trend of cyber actors leveraging cloud-based services for malicious activities, citing examples like BLUELIGHT, Graphite, Graphican, and BirdyClient.
As threat actors evolve their tactics, it is clear that cloud-based attacks are gaining prominence in the realm of cyber espionage, underscoring the need for robust security measures.