Summary: The APT group GOFFEE has evolved its tactics to launch targeted cyberattacks against various strategic sectors in Russia, employing new tools such as PowerModul and sophisticated spear-phishing techniques. Their method includes leveraging malicious instances of โexplorer.exeโ and advanced malware like FlashFileGrabber to steal data from removable media. Kaspersky Labs highlights a shift in GOFFEE’s methodology, indicating a preference for binary Mythic agents over PowerShell-based tools for network infiltration.
Affected: Russian organizations in media, telecommunications, construction, government, and energy sectors
Keypoints :
- GOFFEE has transitioned from using modified Owowa to deploying patched explorer.exe through spear phishing.
- The group has developed PowerModul, a PowerShell implant designed for stealthy malware execution.
- FlashFileGrabber, a tool designed to steal files from removable media, has been identified in two variants targeting over 40 file types.
- The Mythic agent used by GOFFEE is capable of privilege escalation and lateral movement within networks.
- Kaspersky attributes these activities to GOFFEE with high confidence due to consistent malware signatures and targeted victimology.