Analysis Summary

In November 2023, an unidentified South Asian media outlet was the target of an exploit utilizing GoGra, a previously unreported Go-based backdoor.

GoGra is a Go program that communicates with a command-and-control (C&C) server located on Microsoft mail services via the Microsoft Graph API. Currently, it's unclear how target environments will receive it. On the other hand, GoGra is set up to read messages from the Outlook login "FNU LNU" that begin with the word "Input."

Cybersecurity researchers said that after the message's contents are decrypted using a key and the AES-256 method in Cipher Block Chaining (CBC) mode, cmd.exe is used to carry out the commands. The operation's outcomes are then encrypted and forwarded to the same user under the heading "Output." GoGra's resemblance to Graphon, a custom.NET implant that also makes use of the Graph API for C&C, has led to the theory that it is the product of the nation-state threat group Harvester.

This change occurs at a time when threat actors are using authorized cloud services more frequently to remain covert and avoid having to invest in specialized infrastructure. The following is a list of some further new malware families that have made use of this technique:

• A yet undisclosed data exfiltration technique used by Firefly in a cyberattack against a Southeast Asian military institution. A hard-coded refresh token is used to transfer the collected data to Google Drive.
• In April 2024, three organizations in Taiwan, Hong Kong, and Vietnam were targeted by a new backdoor called Grager. It connects to a C&C server located on Microsoft OneDrive via the Graph API. The action has been inferred to be connected to UNC5330, a suspected Chinese threat actor.
• A backdoor identified as MoonTag, linked to a threat actor that speaks Chinese, can communicate with the Graph API.
• Onedrivetools is a backdoor that has been used against European and American IT service organizations. It interacts with a C&C server hosted on OneDrive via the Graph API to carry out commands that are received and store the result on OneDrive.

While using cloud services for command and control is not a novel tactic, attackers have been employing it more frequently lately. The quantity of actors currently utilizing cloud-based attacks indicates that espionage threat actors are observing threats made by other organizations and copying strategies they consider to be effective.

Impact

• Unauthorized Access
• Command Execution
• Information Theft

Indicators of Compromise

SHA1

• 88306961209d423c7b296b7dc469b186bbe3e178
• 2ef13ce1e86fbcfd29079c670a6bb1a9a34daca2
• 5210700004172eeb74655a62824f3bb6ab7667f5
• 3539bee7feb13fcda5be45dffc6da3e635a59d90
• 7895a0007c030f37ae5f9185eeb05dde3248e8bd
• a63440c39358c94370fe171e7765a4fa4fef67d7
• 96f6b9e1dff448ea78ac9d1d2a6d3ea968d27a1a
• b956f5124f5df6522d00d5014ad9d84d3357546d
• 3c1951aa709a79ed0654daa679bc71eed4a32941
• 269ed1073328556d0be38b2fb5288e9be9e6c629

URL

• http://7-zip.tw/a/7z2301-x64.msi
• http://7-zip.tw/a/7z2301.msi

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.