Grager
Intelligence Profile
Grager is a backdoor deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of this backdoor revealed that it uses the Graph API to communicate with a command and control (C&C) server hosted on Microsoft OneDrive. The backdoor decrypts a client ID and refresh token for OneDrive from a blob contained within its file body. It supports the following commands:
- Retrieve machine information, including machine name, user, IP address, and machine architecture
- Download or upload a file
- Execute a file
- Gather file system information, including available drives, their sizes, and types of drives
Threat Analysis
Grager is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.