Full Report
A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery. [...]
Analysis Summary
# Tool/Technique: GoGra (Linux Variant)
## Overview
GoGra is a sophisticated backdoor written in Go (Golang) that leverages legitimate Microsoft infrastructure for Command and Control (C2). By utilizing the Microsoft Graph API to communicate through an Outlook mailbox, the malware effectively masks its malicious traffic as legitimate encrypted HTTPS requests to known Microsoft services, making detection through network traffic analysis extremely difficult.
## Technical Details
- **Type:** Malware Family (Backdoor/Dropper)
- **Platform:** Linux (i386)
- **Capabilities:** Command execution, C2 via Graph API, automated cleanup, persistence.
- **First Seen:** Analysis reported April 2026 (Threat actor active since 2021).
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1543.002 - Create or Modify System Process: Systemd Service
- T1547.013 - Boot or Logon Autostart Execution: XDG Autostart Entries
- **TA0005 - Defense Evasion**
- T1036.005 - Masquerading: Match Legitimate Name or Location (Disguised as Conky)
- T1070 - Indicator Removal on Host (HTTP DELETE of command emails)
- **TA0011 - Command and Control**
- T1102.002 - Web Service: Bidirectional Communication (Microsoft Graph API)
- T1573.001 - Encrypted Channel: Symmetric Cryptography (AES-CBC)
## Functionality
### Core Capabilities
- **C2 via Microsoft Graph:** Uses hardcoded Azure AD credentials and OAuth2 tokens to interact with an Outlook inbox.
- **Mailbox Monitoring:** Checks an Outlook folder (specifically named “Zomato Pizza”) every two seconds for specific triggers.
- **Command Processing:** Identifies emails starting with the subject "Input," decrypts base64/AES-CBC content, and executes the payload locally.
- **Data Exfiltration:** Encrypts execution results and sends them back to the actor via email replies with the subject "Output."
### Advanced Features
- **Anti-Forensics:** Automatically issues HTTP DELETE requests via the Graph API to remove command-bearing emails after execution to minimize the digital footprint in the mailbox.
- **Cross-Platform Parity:** Maintains a nearly identical codebase (including typos and encryption keys) to its Windows counterpart, allowing for streamlined multi-platform operations.
## Indicators of Compromise
- **File Hashes:**
* *Note: Specific hashes were not provided in the source text, but samples are available on VirusTotal indexed under GoGra Linux.*
- **File Names:**
* Disguised as PDF files (initial access)
* `conky` (persistence executable)
- **Network Indicators:**
* `graph.microsoft[.]com` (Legitimate API endpoint used for C2)
* `login.microsoftonline[.]com` (Used for OAuth2 token acquisition)
- **Behavioral Indicators:**
* Creation of a `systemd` service or XDG autostart entry for a process named "Conky."
* Repetitive HTTP polling (every 2 seconds) to Microsoft Graph API endpoints.
## Associated Threat Actors
- **Harvester:** A state-backed espionage group active since 2021, known for targeting telecommunications, government, and IT sectors in South Asia.
## Detection Methods
- **Behavioral Detection:** Monitor for unexpected processes (like `conky`) establishing persistent outbound connections to Microsoft Graph API endpoints, especially if the binary is unsigned or located in atypical directories.
- **Mailbox Auditing:** Monitor Microsoft 365 logs for unusual folders (e.g., “Zomato Pizza”) or high-frequency automated deletions within user inboxes.
- **File Integrity Monitoring:** Detect the creation of unauthorized `systemd` units or files in `~/.config/autostart/`.
## Mitigation Strategies
- **OAuth Monitoring:** Audit Azure AD / Entra ID for the use of hardcoded app credentials and monitor for suspicious application registrations associated with Graph API permissions (Mail.ReadWrite).
- **Endpoint Hardening:** Implement strict execution policies to prevent the execution of ELF binaries disguised as documents.
- **Network Filtering:** Restrict access to Microsoft Graph APIs only to authorized applications and administrative accounts within the environment.
## Related Tools/Techniques
- **GoGra (Windows Variant):** The original version of the backdoor featuring the same logic and encryption routines.
- **Graphican:** Another malware family known to abuse the Microsoft Graph API for C2.