New Go-Based Backdoor GoGra Targets South Asian Media Outlet

A previously unknown Go-based backdoor called GoGra was used in a cyberattack against a media organization in South Asia.

According to a report, GoGra is written in the Go programming language and utilizes the Microsoft Graph API to communicate with a command-and-control (C&C) server hosted on Microsoft mail services. The exact method of delivery for GoGra into target environments remains unclear.

What distinguishes GoGra is its configuration to monitor messages from an Outlook username “FNU LNU,” with subject lines beginning with the word “Input.” Upon receiving such messages, the contents are decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode. The decrypted commands are then executed through cmd.exe, with the results encrypted and sent back to the same user under the subject “Output.”

Experts believe that GoGra is likely the work of a nation-state hacking group known as Harvester. This is based on its similarities to another custom implant named Graphon, which also employs the Graph API for C&C communication.

This attack is part of a growing trend where cybercriminals leverage legitimate cloud services to carry out their operations, avoiding the need to set up dedicated infrastructure. This approach allows them to stay under the radar, making detection more challenging.

Other recent examples of malware using similar tactics include:

– A new data exfiltration tool used by the Firefly group in an attack on a military organization in Southeast Asia. This tool uploads stolen data to Google Drive using a hard-coded refresh token.
– A backdoor called Grager, which was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. This backdoor also uses the Graph API to communicate with a C&C server on Microsoft OneDrive. It is suspected to be the work of a Chinese threat actor known as UNC5330.
– MoonTag, another backdoor attributed to a Chinese-speaking hacker group, with features that allow it to communicate with the Graph API.
– Onedrivetools, a backdoor used against IT services companies in the U.S. and Europe, which interacts with a C&C server on OneDrive to execute commands and store the results.

Researcher notes that while using cloud services for command and control is not a new strategy, there has been a noticeable increase in its adoption by threat actors. Malware such as BLUELIGHT, Graphite, Graphican, and BirdyClient are some examples that follow this trend.

“The rise in the number of espionage actors using cloud services for C&C purposes suggests that these groups are closely monitoring successful techniques employed by other threat actors and are adopting them in their own operations,” researcher added.

Preventing attacks like those involving the GoGra backdoor requires a multi-layered security approach. Organizations should implement strong email filtering to block phishing attempts that could deliver malware. Regular security audits and endpoint protection can help detect unusual activities or unauthorized applications.