Cybersecurity researchers have found several new malware families that use the Microsoft Graph API’s legitimate cloud services for command-and-control operations. This tactic allows threat actors to blend in with normal network traffic and avoid detection.
A malware called GoGra was found targeting a media company in South Asia in late 2023. It is written in the Go programming language. This malware talks to its control server through Microsoft mail services reading encrypted instructions from specially crafted emails.
Right now, it’s not clear how it gets into target systems. However, GoGra is set up to read messages from an Outlook username “FNU LNU”, whose subject line begins with the word “Input.”
The system decrypts message contents with AES-256 in Cipher Block Chaining (CBC) mode using a key. Then, it runs the commands through cmd.exe.
It encrypts the operation results and sends them to the same user with the subject “Output.”
Symantec, a cybersecurity company, links GoGra to a nation-state hacking group called Harvester. They point out similarities with Harvester’s earlier Graphon implant. This shows how cyber espionage tools are getting more advanced.
These discoveries follow earlier malware like BLUELIGHT, Graphite, Graphican, and BirdyClient, which pioneered the use of cloud services for covert operations.
Symantec researchers point out that this trend shows how threat actors study and adapt successful techniques from other groups. The growing use of cloud services for malicious activities creates new challenges for cybersecurity professionals, as it gets tougher to tell normal network activity from the malicious ones.
As more espionage actors pick up these tactics and techniques, companies should keep a closer eye on how cloud services are used and tighten access control mechanisms to lower potential risks.
