An anonymous South Asian media organization was the subject of a Go-based backdoor called GoGra that had not yet been documented in November 2023.
In November 2023, a Go-based backdoor known as GoGra—which had not yet been documented—was used to target an unidentified South Asian media company.
According to a report supplied by Symantec, a division of Broadcom, “GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services.”
Currently, it’s unclear how target environments will receive it. On the other hand, GoGra is set up to read messages from the Outlook login “FNU LNU” that begin with the word “input.”
After the contents of the message are decrypted using a key and the AES-256 method in cipher block chaining (CBC) mode, cmd.exe is used to carry out the commands.
The operation’s outcomes are then encrypted and forwarded to the same user under the heading “Output.”
Graphon, a custom.NET implant that also uses the Graph API for C&C, is similar to GoGra, which is thought to be the creation of the nation-state hacking outfit Harvester.
This change occurs at a time when threat actors are using authorized cloud services more frequently to remain covert and avoid having to invest in specialized infrastructure.
The following is a list of some further new malware families that have made use of this technique:
a yet undisclosed data exfiltration technique used by Firefly in a cyberattack against a Southeast Asian military institution. A hard-coded refresh token is used to transfer the collected data to Google Drive.
In April 2024, three organizations in Taiwan, Hong Kong, and Vietnam were targeted by a new backdoor called Grager. It connects to a C&C server located on Microsoft OneDrive via the Graph API. The action has been inferred to be connected to UNC5330, a suspected Chinese threat actor.
A backdoor identified as MoonTag, linked to a threat actor that speaks Chinese, has the ability to communicate with the Graph API.
OneDriveTools is a backdoor that has been used against European and American IT service organizations. It interacts with a C&C server hosted on OneDrive via the Graph API in order to carry out commands that are received and store the results on OneDrive.
“While using cloud services for command and control is not a novel approach, it has become increasingly popular among attackers recently,” Symantec stated, citing malware such as Bluelight, Graphite, Graphican, and BirdyClient.
“The number of actors now deploying threats that leverage cloud services suggests that espionage actors are clearly studying threats created by other groups and mimicking what they perceive to be successful techniques.”
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.