New GopherWhisper APT Group Leverages Multiple Platforms for Malicious Communications

Post Views: 10

State-Sponsored Threat Actor Abuses Legitimate Services for Communications

Researchers at ESET have uncovered a previously unknown advanced persistent threat (APT) group called GopherWhisper, which has been active since at least 2023.

The Group’s Methods

The group has been linked to China and is estimated to have compromised dozens of victims, including government entities.

According to ESET, “The attackers have been using a custom-built toolkit based on the Go programming language, alongside legitimate services such as Microsoft 365 Outlook, Slack, and Discord, to facilitate command-and-control (C2) communication.”

C2 Communication Tools Used by the Attackers

RatGopher:

A Go-based backdoor that utilizes a private Discord server for C2, executing commands and posting results back to a configured channel.
BoxOfFriends:

A Go-based backdoor that leverages the Microsoft 365 Outlook (Microsoft Graph API) to create and modify draft emails for C2 communication.
SSLordoor:

A C++ backdoor using OpenSSL BIO over raw sockets (port 443), capable of executing commands and performing file operations (read, write, delete, upload) and drive enumeration.
JabGopher:

An injector that launches svchost.exe and injects the LaxGopher backdoor (disguised as whisper.dll) into its memory.
FriendDelivery:

A malicious DLL acting as a loader and injector that executes the BoxOfFriends backdoor.
CompactGopher:

A Go-based file collection tool that compresses data from the command line and exfiltrates it to the file-sharing service file.io.

Timestamp Inspection and Attribution

Timestamp inspection of the C2 communication showed that the commands were issued between 12 a.m. and 12 p.m. UTC, while Discord message history revealed commands being sent between 12 a.m. and 2 p.m. UTC.

Additionally, the researchers noted that changing the timezone to UTC+8, which matches the locale found in the metadata of the Slack server, resulted in increased activity within the 8 a.m. and 5 p.m. working hour interval, further attributing the attacks to China.

Indicators of Compromise (IoCs)

ESET telemetry data suggests that GopherWhisper compromised 12 systems in a Mongolian government institution, but analysis of the Discord and Slack C2 traffic revealed that there are “dozens of other victims” whose geography and activity sectors remain unknown.

A set of GopherWhisper indicators of compromise (IoCs) is available from ESET to aid defenders in identifying and blocking attacks from the new threat cluster.