The Harvester APT group has made significant strides in enhancing its spying capabilities by introducing a new Linux variant of its notorious GoGra backdoor. This latest development cleverly utilizes Microsoft Outlook mailboxes to hide its command-and-control (C2) traffic, making it considerably more challenging for traditional network defenses to identify and neutralize the threat.
This discovery comes from researchers at Symantec and the Carbon Black Threat Hunter Team, who have expertly traced the malware back to a previously recognized Windows-based Harvester campaign. This link underscores the group’s growing proficiency in cross-platform operations, thereby extending its range of attack vectors.
The initial phase of these attacks relies heavily on social engineering tactics. Victims are ensnared through deceptively named documents, such as “TheExternalAffairesMinister.pdf” and “Zomato Pizza,” which reference the well-known Indian food delivery service, Zomato. By crafting these familiar and relatable filenames, the Harvester group increases the likelihood that unsuspecting users will open the documents, thereby executing the malicious payload.
Once opened, the attack is delivered via a Go-based dropper that executes a 5.9 MB executable specifically designed for Linux environments, targeting i386 architecture. This executable writes its malicious payload to the ~/.config/systemd/user/userservice directory. To ensure its continued operation, the malware establishes persistence by creating a systemd user unit alongside an XDG autostart entry. Interestingly, it masquerades as the legitimate Conky Linux system monitor, further complicating detection efforts.
### Outlook Mailboxes Abused
The GoGra’s modus operandi is notably alarming as it exploits Microsoft’s own infrastructure to carry out its objectives. The implant contains hardcoded credentials for Azure Active Directory, including tenant ID, client ID, and client secret. This allows it to authenticate silently using OAuth2, facilitating communication through a designated folder within Outlook mailboxes, aptly labeled “Zomato Pizza.”
Every two seconds, the backdoor diligently polls this folder for emails that have subjects starting with the word “Input.” Commands received in these emails undergo decryption through AES-CBC and are executed via a command line interface using “/bin/bash -c.” The results of these commands are then encrypted and sent back to the attacker under the subject line “Output.” Following this, in a bid to cover its tracks, the backdoor deletes the original message by sending an HTTP DELETE request, effectively erasing any evidence of its activities.
Despite the differences in the operating systems targeted, the Linux and Windows versions of GoGra exhibit a strikingly similar codebase, sharing the same AES encryption key (b14ca5898a4e4133bbce2ea2315a1916) and identical typographical errors within function names like ExecuteCommand and DeleteMessage. This strongly indicates that a single developer is behind the creation of both malware variants. The primary distinctions lie in their architecture and operational timing: the Linux variant is crafted for i386 and polls every two seconds, while the Windows version operates with an x64 DLL and allows a five-minute delay in response to HTTP 204 status codes.
Initial submissions regarding the malware on VirusTotal were traced back to India and Afghanistan, corroborating the historical focus of the Harvester group on South Asia. The use of decoy documents that reference Indian cultural and political themes illustrates a highly targeted approach to espionage, likely aimed at specific government and enterprise entities within those regions.
Harvester is believed to be a threat actor backed by a nation-state, operational since at least 2021. Given the sophisticated nature of their techniques and the tailored content of their attacks, organizations—especially those in government and enterprise sectors within South Asia—are urged to remain vigilant. It is recommended that they monitor for unusual authentication patterns related to Microsoft Graph API, conduct thorough audits of OAuth2 app registrations, and take measures to block unauthorized ELF binaries that might disguise themselves as legitimate document files.
For organizations seeking updated detection signatures to counter this evolving threat, referencing the Symantec Protection Bulletin is highly advisable. The ongoing cat-and-mouse game between cybersecurity professionals and sophisticated threat actors underscores the necessity for continuous vigilance and advanced defensive measures in today’s digital landscape.