### GoGra Backdoor Targets Linux Systems The **Harvester** group, believed to be state-backed, has been actively developing custom malicious tools since at least 2021. Their latest creation, a Linux variant of the GoGra backdoor, employs a novel approach by utilizing the **Microsoft Graph API** to access mailbox data, making it exceptionally evasive. **Harvester** has historically targeted telecommunications, government, and IT organizations in South Asia using custom backdoors and loaders. ### Abusing Microsoft Graph API for Covert Operations Researchers at **Symantec** have analyzed samples of the Linux GoGra backdoor obtained from **VirusTotal**. Their findings indicate that the malware gains initial access by tricking victims into executing ELF binaries disguised as PDF files. Once inside the system, the Linux version of GoGra uses hardcoded **Azure Active Directory (AD)** credentials to authenticate to Microsoft’s cloud and acquire OAuth2 tokens. This allows it to interact with Outlook mailboxes through the Microsoft Graph API. ### Technical Deep Dive The initial stage involves a Go-based malware dropper deploying an i386 payload. Persistence is established via 'systemd' and an XDG autostart entry, masquerading as the legitimate **Conky** system monitor for Linux and BSD. The malware checks an Outlook mailbox folder named “Zomato Pizza” every two seconds. It employs OData queries to identify incoming emails with subject lines starting with “Input.” The contents of these messages, which are base64-encoded and AES-CBC-encrypted, are decrypted and executed locally. The results of these executions are then AES-encrypted and sent back to the operator via reply emails with the subject “Output.” To further reduce its footprint, the malware issues an HTTP DELETE request to remove the original command email after processing it. ### Codebase Similarities Point to Harvester **Symantec** notes that the Linux variant of GoGra shares a nearly identical codebase with the Windows version, including typos in strings and function names, as well as the same AES key. This strongly suggests that both malware variants were created by the same developer, further solidifying the attribution to the **Harvester** threat group. The emergence of a Linux GoGra variant signals that **Harvester** is expanding its toolset and broadening its targeting scope to compromise a wider range of systems.