Threat Research

Arid Gopher: Newest Micropsia Malware Variant | Deep Instinct

Securonix

Deep Instinct’s Threat Research team uncovered a new Go-written Micropsia variant named Arid Gopher attributed to APT-C-23 (Arid Viper), with additional unseen second-stage payloads. The discovery highlights Go-based malware by Arid Viper and its evolving second-stage components and C2 infrastructure. hashtags: #AridGopher #Micropsia #APTC23 #AridViper #GraceFraser #Hamas

Keypoints

  • New Go-based variant of Micropsia, named Arid Gopher, discovered by Deep Instinct researchers.
  • Attribution to APT-C-23 (Arid Viper), with evidence of a Go-based implementation and Go re-use across samples.
  • Variants V1 and V2 employ social-engineering decoys and long filenames with Word/PDF icons to lure victims.
  • Second-stage payloads and a “helper” malware are downloaded from C2s and executed, expanding the infection chain.
  • C2 domains include grace-fraser.site (V1), pam-beesly.site (V2), and mozelllittel.com (second stage).
  • Persistence via LNK in Startup, mutex to ensure a single instance, and WMI-based antivirus checks; data exfiltration and C2 communication via HTTP with a custom User-Agent.
  • Variants evolve with different decoy content and architectures, including V2’s use of Laravel-based C2 and multiple libraries.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart Execution – Registry Run Keys/Startup Folder – The malware creates a LNK file and copies it to the startup folder for persistence using the name of the malware executable. “The malware creates a LNK file and copies it to the startup folder for persistence using the name of the malware executable.”
  • [T1113] Screen Capture – The malware takes a screenshot and saves it as a PNG file to the startup folder to exfiltrate or monitor activity. “The malware takes a screenshot and saves it as a PNG file to the same folder mentioned above.”
  • [T1082] System Information Discovery – OS version and computer information are retrieved (e.g., returning strings like “Microsoft Windows [version 6.1.7601]”). “the function … returns a string such as ‘Microsoft Windows [version 6.1.7601]’”
  • [T1047] Windows Management Instrumentation – Discovery of antivirus products via WMI to decide next steps. “The malware checks for installed Antivirus products by running the following command: cmd /c WMIC /Node:localhost /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List”
  • [T1027] Obfuscated/Compressed Files and Information – Data is encoded/packaged (e.g., base64 blobs) before transmission. “the malware writes a base64 blob containing…”
  • [T1071.001] Web Protocols – C2 communications over web protocols using domains (grace-fraser.site, pam-beesly.site) and a Laravel-based C2. “This variant is using the domain ‘grace-fraser.site’ as a C2. The C2 is using the ‘Laravel’ framework.”
  • [T1105] Ingress Tool Transfer – The malware downloads and executes a second-stage payload from the C2 server. “downloads additional payload from the C2 server from the following URL: ‘http[:]//pam-beesly.site/…/download_app/download-by-name/SystemNetworkEventsNotification’.”
  • [T1071.001] Web Protocols (C2) – The main GET/POST based C2 communications loop. “The loop which sends GET requests to the C2.”
  • [T1036] Masquerading – The file uses a Word document icon and a long file name to resemble legitimate documents. “masquerading techniques: First, it uses the Microsoft Word Office document icon. Second, it uses a very long file name (see image below), preventing the user from seeing the ‘.exe’ file extension.”
  • [T1056.001] Input Capture – Not strictly used here; included as a related behavior for completeness when capturing UI/decoys including decoy documents. “The decoy document contains sections from an academic publication…”

Indicators of Compromise

  • [SHA256] context – Archive containing AridGopher V1, f01c07f88071c8f71514db19f68c966f17ac8af0d3288913141714037352c99c and 99544057a5215e756b67aa47815e27dc157eb850792e5eacda6796922bb9a50b, and 5 more hashes
  • [SHA256] context – Archive containing AridGopher V2 (PDF), 42492efa48785ca118d4b05f28570e7b6be4677a962cb7825a859ad5e3045710 and 5588f6fab387133c21b06f6248259c64260435898edd61866fad50312c2d3b25, etc.
  • [Domain] grace-fraser.site – AridGopher V1 C2; [Domain] pam-beesly.site – AridGopher V2 C2; [Domain] mozelllittel.com – 2nd stage C2
  • [Mutex] ABCMedia, SoftTookkitPSA – mutexes used for single-instance protection
  • [User-Agent] aimxxhwpcc – used in C2 communications
  • [File path] C:ProgramDataNotificationControllerPSK – persistence/storage path; [File path] C:ProgramDataNotificationControllerPSKMSAProfileNotificationHandler.txt – data exfil/handler
  • [File path] C:ProgramDataNotificationControllerPS – persistence/stage data

Read more: https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant