7 August 2024

Threat actors ramp up attacks on orgs in the US, Europe and Asia with new backdoors


Threat actors ramp up attacks on orgs in the US, Europe and Asia with new backdoors

Symantec’s Threat Hunter Team said it uncovered three new espionage operations using cloud services and uncovered evidence of further tools in development. Among these is a previously unseen backdoor named GoGra (Trojan.Gogra), deployed against a media organization in South Asia in November 2023. GoGra, written in Go, interacts with a command-and-control (C&C) server hosted on Microsoft mail services through the Microsoft Graph API.

Microsoft Graph API facilitates access to resources hosted on Microsoft cloud services, such as Microsoft 365, using OAuth access tokens for authentication. Analysis indicates that GoGra was likely developed by Harvester, a nation-state-backed group uncovered by Symantec in 2021 that targets organizations in South Asia. GoGra bears some similarities to a known Harvester tool called Graphon, which was written in .NET.

Additionally, Symantec identified a new exfiltration tool deployed by the Firefly espionage group in an attack against a military organization in Southeast Asia. This tool used a publicly available Google Drive client in a Python wrapper to search for and upload .jpg files from the System32 directory to Google Drive. Many of these files were actually encrypted RAR files containing sensitive data, including documents, meeting notes, call transcripts, building plans, email folders, and accounting data.

In another case, a previously unseen backdoor named Trojan.Grager was deployed against organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Grager uses the Graph API to communicate with a C&C server hosted on Microsoft OneDrive and was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip.

Grager supports various commands, including retrieving machine information, downloading/uploading files, executing files, and gathering file system information. There are possible links between Grager and a a China-linked threat group known as UNC5330.

Symantec also discovered evidence of another developing backdoor called MoonTag (Trojan.Moontag), with several variants uploaded to VirusTotal recently. Additionally, another backdoor named Ondritols (Trojan.Ondritols) has been deployed against IT services companies in the US and Europe. Ondritols is a multi-stage backdoor, with the first stage acting as a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive.

In May 2024, Symantec uncovered BirdyClient, malware that communicates with a OneDrive C&C server via the Graph API. BirdyClient was used in an attack against an organization in Ukraine.

Leveraging cloud services for command and control is not a new technique, but its use has become more prevalent. Three years ago, Volexity reported on BlueLight, malware from the North Korea-linked Vedalia espionage group (APT37).

Symantec discovered the Graphon backdoor in October 2021, and the Russian Swallowtail espionage group, known as APT28 or Fancy Bear, adopted this tactic with Graphite malware. In June 2023, Symantec identified Backdoor.Graphican, used by the Flea group (APT15, Nickel) against foreign affairs ministries in the Americas.


Back to the list

Latest Posts

What is Vulnerability Management? A Beginner's Guide

What is Vulnerability Management? A Beginner's Guide

In this article will try to cover basics of vulnerability management process and why it is important to every company.
11 September 2024
Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024