Linux GoGra Backdoor Uses Outlook via Graph API for Stealthy Espionage

A new Linux variant of the GoGra backdoor has been uncovered, marking a significant evolution in a cyber-espionage campaign linked to the state-backed Harvester group. The malware stands out for its unusual command-and-control method, relying on Microsoft Outlook through the Microsoft Graph API to blend malicious traffic with legitimate cloud activity.

Infection Method Disguised as a PDF

The infection begins with a deceptive tactic. Victims receive what appears to be a harmless PDF file, but it is actually a malicious ELF binary. Once executed, the payload deploys and establishes persistence on the system using systemd services and XDG autostart entries, ensuring it survives reboots and remains active without raising suspicion.

Outlook Mailbox Used as Command-and-Control

What makes this variant particularly stealthy is how it communicates. Instead of using traditional command-and-control servers, the malware leverages hardcoded Azure Active Directory credentials to obtain OAuth2 tokens. It then connects directly to an Outlook mailbox, effectively turning it into a hidden control channel.

How the Malware Executes Commands

The backdoor checks the mailbox every two seconds, scanning for incoming emails with subjects that begin with “Input.” These messages, stored in a folder labeled “Zomato Pizza” to avoid detection, contain encrypted instructions. The malware decrypts the payload using a combination of Base64 encoding and AES-CBC encryption, executes the commands locally, and sends the results back via reply emails marked with the subject “Output.”

Evasion and Anti-Detection Techniques

To further evade detection, the malware deletes command emails after processing them. By using legitimate Microsoft infrastructure, the activity blends into normal enterprise traffic, making it far harder for traditional security tools to flag. It also disguises itself as Conky, a common Linux system monitoring tool, adding another layer of obfuscation.

Links to Windows Variant and Target Scope

Researchers noted that this Linux variant shares a nearly identical codebase with its Windows counterpart, strongly suggesting the same developer or group is behind both versions. The campaign primarily targets organizations in telecommunications, government, and IT sectors, with a focus on South Asia.

Security Implications and Recommendations

The discovery highlights a growing trend where threat actors abuse trusted cloud services to operate under the radar. Organizations are urged to closely monitor unusual Microsoft Graph API activity, restrict unnecessary OAuth application permissions, and avoid executing unknown files, especially those disguised as common document formats.

In related developments, Microsoft has also warned about ongoing social engineering attacks targeting enterprises through Microsoft Teams, while issuing an emergency update to address a critical .NET security flaw. At the same time, more than 1,300 SharePoint servers remain exposed to a known vulnerability due to delayed patching, underscoring the persistent risks of unaddressed security updates.

Via Bleeping Computer