Symantec researchers found a Linux variant of the GoGra backdoor that uses hardcoded Azure AD credentials and the Microsoft Graph API to stealthily pull commands from an Outlook mailbox. Developed by the state-linked Harvester group, the backdoor persists via systemd and an XDG autostart entry, decrypts AES-CBC/base64 commands from a “Zomato Pizza” folder (subject “Input”), executes them, returns AES-encrypted results (subject “Output”), and deletes the original command emails. #GoGra #Harvester
Keypoints
- Linux GoGra variant uses Microsoft Graph API and hardcoded Azure AD credentials to access an Outlook mailbox.
- Initial access is via ELF binaries disguised as PDFs and a Go-based dropper that deploys an i386 payload.
- Persistence is achieved through systemd and an XDG autostart entry masquerading as the Conky system monitor.
- The malware polls a “Zomato Pizza” folder for emails with subjects starting “Input”, decrypts and executes commands, replies with AES-encrypted “Output”, and deletes the original emails.
- Nearly identical code, typos, and AES key link the Linux and Windows GoGra samples to the Harvester espionage group targeting South Asian telecom, government, and IT organizations.