Threat Research

GopherWhisper: A burrow full of malware

ESET-welivesecurity
GopherWhisper: A burrow full of malware
ESET Research uncovered a China-aligned APT group named GopherWhisper that targeted a Mongolian governmental entity and deployed a diverse Go-centric toolset including LaxGopher, RatGopher, BoxOfFriends, JabGopher, CompactGopher, FriendDelivery, and SSLORDoor. The group abused legitimate services (Discord, Slack, Microsoft 365 Outlook, file.io) for C2 and exfiltration, and ESET extracted thousands of Slack and Discord messages and draft Outlook emails to analyze the group’s operations. #GopherWhisper #Mongolia

Keypoints

  • ESET Research discovered a previously undocumented China-aligned APT named GopherWhisper that targeted a governmental entity in Mongolia.
  • GopherWhisper’s arsenal is heavily Go-based and includes LaxGopher, RatGopher, BoxOfFriends, CompactGopher, JabGopher (injector), FriendDelivery (loader), and the C++ backdoor SSLORDoor.
  • The group leverages legitimate platforms—Slack, Discord, Microsoft 365 Outlook (Microsoft Graph API), and file.io—for command-and-control and data exfiltration.
  • ESET recovered thousands of Slack and Discord messages and several draft Outlook emails, providing insight into operator activity, testing, and post-compromise tasks.
  • LaxGopher and RatGopher retrieve C2 from private Slack and Discord channels respectively and execute commands (including via cmd.exe) and publish results back to those channels.
  • CompactGopher is used for rapid file collection and automated exfiltration to file.io, while SSLORDoor supports raw-socket communication over port 443 and file enumeration/manipulation.

MITRE Techniques

  • [T1055 ] Process Injection – JabGopher creates a new instance of svchost.exe and injects LaxGopher into the svchost.exe process memory; quote: ‘JabGopher: an injector that executes the LaxGopher backdoor disguised as whisper.dll. It creates a new instance of svchost.exe and injects LaxGopher into the svchost.exe process memory.’
  • [T1574.001 ] DLL Side-Loading – The group used a side-loaded component named whisper.dll as part of execution; quote: ‘we chose to name it GopherWhisper due to the majority of the group’s tools being written in the Go programming language… and based on the filename whisper.dll, a malicious component that is side-loaded.’
  • [T1071.001 ] Application Layer Protocol (Web Protocols) – Discord, Slack, and file.io were abused for C2 and exfiltration over application-layer web protocols; quote: ‘GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command and control (C&C) communication and exfiltration.’
  • [T1071.003 ] Application Layer Protocol (Mail Protocols) – BoxOfFriends uses Microsoft 365 Outlook via the Microsoft Graph mail REST API to create and modify draft messages for C2; quote: ‘BoxOfFriends: a Go-based backdoor that makes use of the Microsoft 365 Outlook mail REST API from Microsoft Graph to create and modify draft email messages for its C&C communications.’
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – LaxGopher executes system commands via cmd.exe and returns results to Slack; quote: ‘It executes commands via cmd.exe and publishes the results back to the Slack channel configured in the code.’
  • [T1083 ] File and Directory Discovery – Operators used LaxGopher C2 to request disk and file enumeration on compromised hosts; quote: ‘LaxGopher C&C communications were mainly used to send commands for disk and file enumeration.’
  • [T1005 ] Data from Local System – SSLORDoor and other backdoors perform local file operations (open/read/write/delete/upload) to collect data for exfiltration; quote: ‘It can enumerate drives, and run commands based on C&C input, mainly related to opening, reading, writing, deleting, and uploading files.’
  • [T1567 ] Exfiltration Over Web Service – CompactGopher compresses files and automatically exfiltrates them to the file.io file sharing service; quote: ‘CompactGopher: … automatically exfiltrate them to the file.io file sharing service.’

Indicators of Compromise

  • [Email Address ] BoxOfFriends C2/account – barrantaya.1010@outlook[.]com (Microsoft Outlook account linked to BoxOfFriends; account created July 11, 2024)
  • [File Name ] malicious components/loaders – whisper.dll (LaxGopher side-loaded component), FriendDelivery DLL (loader used to execute BoxOfFriends)
  • [Service / Domain ] exfiltration and C2 platforms – file.io (used by CompactGopher for exfiltration), Microsoft 365 Outlook/Microsoft Graph (used by BoxOfFriends for draft-email C2)
  • [Slack/Discord Channels & Messages ] attacker-operated C2 channels and extracted logs – thousands of Slack and Discord messages and C2 channel logs recovered (used for backdoor testing and live C2)

Read more: https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint