ClickCease GoGra Backdoor: Unnamed South Asian Media Outlet Targeted - TuxCare

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

GoGra Backdoor: Unnamed South Asian Media Outlet Targeted

Wajahat Raja

August 20, 2024 - TuxCare expert team

As per recent reports, an unnamed media organization in South Asia had fallen prey to the GoGra backdoor in November 2023. The threat actor behind the South Asia media organization’s cyber attack is believed to be a part of Harvester, a nation-state hacking group.

In this article, we’ll dive into details pertaining to the attack and uncover what has been brought to light thus far. Let’s begin!

GoGra Backdoor Attack Uncovered

When it comes to the attack chain, it’s currently not known how the GoGra backdoor threat actors deliver the payload to the target environments. However, it’s worth mentioning here that GoGra backdoor is specifically configured for reading messages from the Outlook user name “FNU LNU.”

The subject line of these emails starts from the word “Input.” As for its development, the GoGra backdoor has been written in Go and makes use of the Microsoft Graph API which allows it to interact with the command-and-control (C&C) server. The contents of the message are then decrypted using the AES-256 algorithm in Cipher Block Chaining (CBC) mode using a key.

The GoGra Backdoor also uses “cmd.exe” to execute the commands after decryption. The results of the operations are then encrypted and sent to the same user with the subject “Output.” As of now, it is believed that the GoGra backdoor threat actor is linked to a nation-state hacking group called Harvester.

Such assumptions are being made due to attack similarities, which entail a custom .NET implant named Graphon. In addition, the GoGra backdoor also makes use of the Graph API for C&C initiatives that sync up with the malicious practices of Harvester.

Threat Actors Leveraging Legitimate Tools

Given the recent advancement in cybercrime, threat actors are leveraging legitimate cloud services for their attacks. The use of such services ensures that they stay under the radar and do not have to acquire dedicated infrastructure to carry out the attacks.

Those keen on ensuring protection against online threats must know that some other malware families’ functions based on a similar method include:

  • A data exfiltration tool that was developed by Firefly in a cyber attack that targeted a military organization in Southeast Asia.
  • Backdoor named Grager was used against three organizations in Taiwan, Hong Kong, and Vietnam.
  • The MoonTag backdoor, which contains functionalities for communicating with the Graph API
  • Onedrivetools backdoor is used against IT services companies in the United States (US) and Europe.

Given the prevalence and increased complexity of such attack tactics, developing comprehensive security strategies is now essential for risk mitigation and ensuring protection.

Conclusion

The GoGra backdoor attack underscores the evolving sophistication of cyber threats, particularly those linked to nation-state actors like Harvester. By leveraging legitimate tools like Microsoft Graph API, these attackers can evade detection and carry out complex operations.

As such, organizations must adopt advanced security measures to mitigate risks, stay vigilant against similar tactics, and ensure their systems are resilient against emerging threats.

The sources for this piece include articles in The Hacker News and The Network Company.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter