GoGra leverages the Microsoft Graph API in order to access the Outlook mail service using OAuth access tokens for a username called FNU LNU. The backdoor accesses the Outlook mailbox and reads instructions from email messages with the word “Input” in the subject line. However, the contents of the messages are encrypted with AES-256 and the malware decrypts them with a hardcoded key.
“GoGra executes commands via the cmd.exe input stream and supports an additional command named cd which changes the active directory,” the Symantec researchers said. “After the execution of a command, it encrypts the output and sends it to the same user with the subject Output.”
A second APT malware implant leveraging the Microsoft Graph API is called Trojan.Grager, which was used against organizations from Taiwan, Hong Kong, and Vietnam in April. The backdoor was distributed through a trojanized installer for the 7-Zip archive manager, and it uses Microsoft OneDrive instead of Outlook for C2 purposes. The backdoor can download, upload, and execute files and gathers system and machine information.