Overview
- Symantec and Carbon Black detailed a Linux build of GoGra that uses hardcoded Azure AD credentials to log into Microsoft cloud services, which makes its traffic resemble normal Outlook use.
- The malware polls an Outlook folder named "Zomato Pizza" every two seconds, decrypts "Input" tasks, executes them, emails back "Output" results, and then deletes the original command.
- Victims are tricked into running ELF files disguised as PDFs while a Go dropper shows a decoy document and sets persistence with systemd and an XDG autostart entry that impersonates the Conky monitor.
- Researchers link the implant to Harvester by showing a near-identical codebase to the Windows variant, including the same AES key and matching spelling mistakes in strings and function names.
- Artifacts uploaded to VirusTotal from India and Afghanistan suggest a South Asia focus, and the reports describe confirmed tooling and tactics rather than verified compromises in live victim networks.