HQ/EMEAFind out how we can help your business
In November 2023, a South Asian media organisation was targeted by a sophisticated cyberattack involving a newly discovered backdoor malware named GoGra. This malware, written in Go, utilises the Microsoft Graph API to interact with a command-and-control server hosted on Microsoft’s mail services, representing an advanced form of cyber intrusion.
GoGra’s precise delivery mechanism is still unknown. Once installed, GoGra works by gaining access to emails from an Outlook account that has the username “FNU LNU.” It focuses on emails that have the subject line “Input” in them and then uses AES-256 encryption in Cipher Block Chaining (CBC) mode to decrypt them. After decryption, it uses `cmd.exe} to carry out commands, encrypts the output, and sends it back to the original Outlook account with the subject “Output.”
Researchers identify connections between GoGra malware, another malicious implant, and a nation-state group.
Researchers compare GoGra to an earlier .NET implant called Graphon, which similarly exploits the Microsoft Graph API for C&C. They also link this malware to a nation-state hacking group called Harvester. This development is indicative of a larger pattern among hackers, who are using reputable cloud services more frequently to hide their activities and avoid the need for specialised infrastructure.
Apart from GoGra, there are a few more malware families that have been discovered using similar strategies. A military organisation in Southeast Asia was the target of a hack utilising Firefly, a previously unidentified data exfiltration tool. Stolen data was transferred to Google Drive using a hard-coded refresh token. In April 2024, a noteworthy new threat surfaced called Grager, which targeted organisations located in Taiwan, Hong Kong, and Vietnam.
This backdoor is thought to be associated with the Chinese threat actor UNC5330. It uses the Microsoft Graph API to communicate with a C&C server located on OneDrive. OneDrive is also utilised for C&C operations by the Chinese threat actor Onedrivetools, which has been connected to MoonTag, a backdoor with Graph API functionality that has targeted IT services companies in the U.S. and Europe.
Although leveraging cloud services for command and control is not a novel tactic, its use is becoming more common. More examples of this pattern can be found in malware like BLUELIGHT, Graphite, Graphican, and BirdyClient. The emergence of cloud-based C&C strategies highlights the changing nature of cyber risks as it shows that espionage actors are closely monitoring and copying popular tactics employed by other cybercriminal groups.
