Harvester's GoGra Backdoor Exploits Microsoft Graph API for Linux Targets

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalwaremicrosoft
Harvester's GoGra Backdoor Exploits Microsoft Graph API for Linux Targets

The threat actor known as Harvester is deploying a new Linux variant of its GoGra backdoor, specifically targeting entities in South Asia. The malware’s ingenuity lies in its command-and-control (C2) infrastructure, which leverages legitimate Microsoft Graph API and Outlook mailboxes. This sophisticated approach allows GoGra to blend in with normal network traffic, effectively bypassing traditional security perimeters and detection methods.

The Hacker News reports that this technique provides a covert channel for the attackers, making it significantly harder for defenders to identify and disrupt their operations. The reliance on cloud services like Microsoft Graph API highlights a growing trend where threat actors exploit trusted platforms for malicious purposes, posing a substantial challenge to current security postures.

What This Means For You

  • If your organization utilizes Linux systems and has exposure to South Asia, audit your Microsoft Graph API usage and Outlook mailbox activity for any suspicious connections or data exfiltration patterns. Pay close attention to unusual API calls or login activities originating from or targeting the region.

Related ATT&CK Techniques

T1071.004 Application Layer Protocol: DNS Command and Control T1102 Web Service Command and Control

πŸ›‘οΈ Detection Rules

3 rules Β· 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free β€” export to any SIEM format via the Intel Bot.

critical T1071.001 Command and Control

GoGra Backdoor - Microsoft Graph API C2 Communication

Sigma YAML β€” free preview
βœ“ Sigma Β· Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot β†’

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor microsoft.com Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related Posts

French Authorities Arrest Hacker Behind Dozens of Breaches

French authorities have apprehended a suspected hacker linked to numerous data breaches targeting public institutions, sports federations, and private organizations across France, according to The...

threat-inteldata-breachgovernment
/SCW Research /MEDIUM

North Korea's 'Contagious Interview' Malware Spreads Via Compromised Dev Repos

Dark Reading reports on a sophisticated malware campaign attributed to North Korea, dubbed 'Contagious Interview.' This operation leverages compromised developer repositories as a self-propagating vector....

threat-inteltoolsmalware
/SCW Research /MEDIUM

Dutch Intel: China's Cyber Might Now Rivals the US

Dutch intelligence is sounding the alarm, stating that China's cyber capabilities have advanced to a level comparable with the United States. The report from The...

threat-inteldata-breachgovernment
/SCW Research /MEDIUM