An unidentified media organization in South Asia fell victim in November 20233 to an unknown Go-operated trap door named GoGra.
“GoGra has been coded using Go and leverages the Microsoft Graph API to communicate with a command-and-control (C&C) server stationed on Microsoft mail services,” Symantec, part of Broadcom, stated in a report shared with The Hacker News.
The method of delivery to targeted systems is currently uncertain. Nevertheless, GoGra has been specifically set up to scan through messages from an Outlook user named “FNU LNU” if the email’s subject line commences with the term “Input.”
The email contents are then decrypted using the AES-256 cipher in Cipher Block Chaining (CBC) mode with an encryption key, after which it proceeds to execute the instructions via cmd.exe.
The results of the operation are then encrypted and dispatched to the same user with the subject “Output.”
GoGra is believed to be the handiwork of a governmental hacking squad recognized as Harvester because of its resemblances to a tailor-made .NET implant named Graphon, which similarly makes use of the Graph API for C&C objectives.
This development occurs as threat actors are increasingly tapping into authentic cloud services to keep a low profile and circumvent the need to acquire dedicated infrastructure.
Below are some other novel malware variants that have adopted this approach:
- An unseen data exfiltration tool launched by Firefly during a cyber incursion against a military entity in Southeast Asia. The pilfered data is uploaded to Google Drive leveraging a fixed refresh token.
- A fresh trap door named Grager utilized against three entities in Taiwan, Hong Kong, and Vietnam in April 2024. It harnesses the Graph API for communication with a C&C server residing on Microsoft OneDrive. The actions have tentatively been tied to a suspected Chinese threat actor known as UNC5330.
- A trap door named MoonTag featuring abilities to communicate with the Graph API and is ascribed to a Chinese-speaking threat actor
- A trap door dubbed Onedrivetools deployed against IT services firms in the U.S. and Europe. It uses the Graph API to communicate with a C&C server hosted on OneDrive to carry out received commands and store the results on OneDrive.
“Even though exploiting cloud services for command and control is not a novel tactic, more and more attackers have begun employing it lately,” Symantec remarked, highlighting malware like BLUELIGHT, Graphite, Graphican, and BirdyClient.
“The surge in the number of actors now deploying threats that utilize cloud services indicates that espionage actors are evidently scrutinizing threats developed by other factions and emulating what they deem as fruitful techniques.”
About Author
