GopherWhisper APT Group Exposed: Using Slack and Discord for Command and Control Traffic
The GopherWhisper APT Group Hides Command and Control Traffic in Commercial Collaboration Platforms
In a recent discovery, researchers have uncovered a sophisticated cyber threat group, dubbed GopherWhisper, operating in China and leveraging everyday collaboration platforms to conceal command and control traffic within normal enterprise noise.
According to ESET, the group’s toolkit is primarily composed of Go-written components, including custom loaders, injectors, and backdoors, which communicate with each other through various legitimate services.
- GopherWhisper employs Slack workspaces, Discord servers, and Outlook drafts to mask C2 traffic.
- The group’s tools are written in Go and communicate with each other through legitimate services.
- Researchers have attributed the group to a China-aligned APT entity based on timezone settings, user locale, and other metadata.
- The group’s backdoors receive instructions from private Slack workspaces and return results to the same channel.
- One of the backdoors, LaxGopher, receives instructions from a private Slack workspace and returns results to the same channel.
- Another backdoor, BoxOfFriends, uses the Microsoft Graph API to exchange commands through Outlook draft messages.
- The group’s reliance on commercial platforms for C2 communication highlights the need for organizations to reassess their security posture.
- ESET has published indicators of compromise in its GitHub repository, providing defenders with a valuable resource to detect and mitigate potential threats.
The GopherWhisper APT group’s tactics continue to evolve, making it essential for organizations to stay vigilant and adapt their security measures accordingly.
About Author
English