top of page
Buscar

The Robot That Reads Your Mail

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 8 horas
  • 2 Min. de lectura

In modern espionage campaigns, control no longer needs a visible channel. In Harvester’s latest operation, the attacker built a system where commands travel through something as ordinary as email. The result is a robotic loop: receive, execute, respond—hidden entirely inside trusted cloud infrastructure.


Phase 1: The Entry Point 


The attack begins with social engineering. Targets receive what appears to be a harmless document—typically a PDF. In reality, it is a disguised ELF binary.

Once executed, the file displays a decoy document to maintain the illusion, while silently launching the GoGra backdoor in the background.

No exploit is needed. The user executes the entry point.


Phase 2: Deployment on Linux 


This campaign marks a key evolution: Harvester expands from Windows into Linux environments.

The deployed GoGra variant mirrors previous tooling but adapts to Linux systems, demonstrating the actor’s intent to broaden its reach across enterprise infrastructure.


Phase 3: The Communication Loop 


Instead of traditional command-and-control servers, the malware uses Microsoft Graph API and Outlook mailboxes as its communication channel.

The backdoor continuously polls a specific mailbox folder (“Zomato Pizza”) every two seconds using OData queries. It searches for emails with a subject beginning with “Input.”

When found:

  • The message body is Base64-decoded

  • Executed as shell commands via /bin/bash


Phase 4: Execution & Exfiltration 


After executing the command:

  • Results are sent back via email with subject “Output”

  • The original command email is deleted

This creates a closed robotic loop: receive → execute → respond → erase

The process leaves minimal forensic traces and blends into legitimate cloud traffic.


Phase 5: Stealth Through Trust '


The attack’s strength lies in its invisibility:

  • Uses legitimate Microsoft infrastructure

  • Avoids traditional C2 detection patterns

  • Mimics normal email activity

  • Leaves minimal artifacts after execution

Even across platforms (Windows and Linux), the logic remains consistent—suggesting a unified development approach.


Phase 6: Expansion & Persistence

 

Harvester continues evolving:

  • Expanding toolsets across operating systems

  • Targeting high-value sectors (government, telecom, media, IT)

  • Maintaining long-term espionage access

The reuse of coding patterns and logic indicates an active, continuously developing threat actor.


This campaign highlights a critical shift in cyber espionage: attackers are no longer building new channels—they are hiding inside existing ones.

By turning email into a command system and cloud APIs into control infrastructure, Harvester eliminates the need for traditional C2 servers. The attack becomes quieter, harder to detect, and deeply embedded in trusted environments.

Defending against this requires more than blocking malware. It demands visibility into how legitimate services are used—and misused.

Because when the robot reads your mail, the command channel is already inside your system.


The Hacker News


 
 
 

Comentarios

bottom of page