Harvester APT Deploys Linux Variant of GoGra Backdoor via Microsoft Graph API, Outlook Mailboxes

In a significant pivot for cyber espionage tactics, security researchers have uncovered a Linux-compatible variant of the GoGra backdoor. This new iteration is being weaponized by the Harvester APT group, a suspected nation-state actor known for conducting highly targeted operations across South Asia since at least 2021.

While Harvester’s previous campaigns were predominantly focused on the Windows ecosystem, the emergence of this Linux binary signals a strategic expansion in their cross-platform capabilities. This evolution allows the group to target a wider array of server environments and specialized workstations that may lack the robust endpoint detection and response (EDR) often found on Windows machines.

Technical analysis from Symantec and Carbon Black reveals a sophisticated Command-and-Control (C2) architecture that bypasses traditional network perimeter defenses by leveraging Microsoft Graph API and Outlook mailboxes as a covert communication layer.

Anatomy of the Initial Infection Vector

While no definitive breach victims have been openly confirmed, telemetry from VirusTotal shows that initial malware samples are heavily concentrated in India and Afghanistan. This suggests a tightly scoped regional intelligence-gathering mission. The infection chain relies on sophisticated social engineering, utilizing deceptive file naming conventions to bypass human intuition.

The attackers employ a “double extension” trick, often inserting a leading space before the actual file extension to trick the Linux desktop environment into displaying a benign icon. For example, a file named "Document .pdf" may actually be a functional ELF (Executable and Linkable Format) binary.

The lures are highly localized and context-aware, including:

  • Zomato Pizza-themed files: Targeting the lifestyle habits of users in India.
  • Religious/Travel lures: Such as "umrah.pdf" to exploit seasonal travel trends.
  • Political/Administrative lures: Files like "TheExternalAffairesMinister. pdf" to target government officials.

Upon execution, the Go-based dropper initiates a “decoy” process, rendering a legitimate-looking PDF or ODT file to the user. Meanwhile, in the background, it deploys a 5.9 MB payload and establishes persistence by writing to ~/.config/systemd/user/userservice. To ensure survival across reboots, it installs a systemd service and an XDG autostart entry, masquerading as the popular “Conky” system monitor.

Living off the Cloud: Outlook as a Covert C2

The most technically impressive—and dangerous—aspect of the GoGra Linux variant is its “Living off the Cloud” approach to C2 communications. Rather than communicating with a suspicious IP address or a known malicious domain, the malware utilizes hardcoded Azure Active Directory credentials to authenticate directly with Microsoft’s cloud infrastructure.

The malware performs high-frequency polling of a specific Outlook folder named "Zomato Pizza". Utilizing OData queries, it checks the mailbox every two seconds for incoming messages with subjects beginning with the string "Input".

The Communication Lifecycle:

  1. Command Ingestion: The attacker sends an email containing an encrypted payload.
  2. Decryption: The malware decrypts the message using AES-CBC encryption and Base64 encoding.
  3. Execution: The decrypted command is passed directly to the Linux shell for execution.
  4. Exfiltration: The output of the command is encrypted and sent back to the attacker via a new email with the subject "Output".
  5. Self-Sanitization: To minimize the forensic footprint, the malware immediately deletes the original command email after processing.

Code similarity analysis confirms that the Linux and Windows versions of GoGra are sibling variants. Researchers detected identical hardcoded encryption keys and, perhaps most tellingly, identical “developer typos”—specific spelling errors in function names and string constants—that serve as a digital fingerprint linking both versions to the same development source.

The expansion of GoGra into the Linux domain represents a maturing threat profile for the Harvester APT. By blending malicious activity into the massive stream of legitimate Microsoft Graph API traffic, the group has created a highly resilient stealth mechanism that poses a significant challenge for traditional signature-based and anomaly-based detection systems.

Related Articles

Back to top button