GoGra leverages the Microsoft Graph API so as to entry the Outlook mail service utilizing OAuth entry tokens for a username referred to as FNU LNU. The backdoor accesses the Outlook mailbox and reads directions from e mail messages with the phrase “Enter” within the topic line. Nevertheless, the contents of the messages are encrypted with AES-256 and the malware decrypts them with a hardcoded key.
“GoGra executes instructions by way of the cmd.exe enter stream and helps an extra command named cd which adjustments the energetic listing,” the Symantec researchers mentioned. “After the execution of a command, it encrypts the output and sends it to the identical person with the topic Output.”
A second APT malware implant leveraging the Microsoft Graph API is named Trojan.Grager, which was used towards organizations from Taiwan, Hong Kong, and Vietnam in April. The backdoor was distributed by way of a trojanized installer for the 7-Zip archive supervisor, and it makes use of Microsoft OneDrive as a substitute of Outlook for C2 functions. The backdoor can obtain, add, and execute recordsdata and gathers system and machine data.
