FOCUS MODE
EXTRACT IOC
Threat Research

GOFFEE continues to attack organizations in Russia

SecureList
GOFFEE continues to attack organizations in Russia
GOFFEE is a threat actor recognized for targeting entities in Russia through spear phishing and using various malicious techniques, including the deployment of modified malware. They have introduced a new implant called β€œPowerModul” and are shifting from PowerTaskel to a binary Mythic agent for lateral movement. Their activities span sectors like media, telecommunications, construction, government, and energy. Affected: Russian Federation, media, telecommunications, construction, government entities, energy companies

Keypoints :

  • GOFFEE has been active since early 2022, exclusively targeting Russian entities.
  • The group uses spear phishing emails with malicious attachments for initial infections.
  • Introduced a new implant known as PowerModul starting in 2024.
  • Abandoning PowerTaskel in favor of a binary Mythic agent for lateral movement.
  • Targets sectors include media, telecommunications, construction, government, and energy.
  • Malicious activity observed from May 2022 to the end of 2024.

MITRE Techniques :

  • T1193 – Spear Phishing Link: Use of spear phishing emails to deliver malicious payloads.
  • T1203 – Exploitation for Client Execution: Deployment of malicious Office documents with macros as dropper files.
  • T1059.001 – PowerShell: Utilization of PowerShell scripts for executing commands and launching further exploitation.
  • T1027 – Obfuscated Files or Information: Use of obfuscation techniques in PowerModul’s encoding and communication with C2 servers.
  • T1070 – Indicator Removal on Host: Deleting or hiding files to obscure malicious activities.
  • T1047 – Windows Management Instrumentation: Use of WMI for lateral movement and executing scripts on target systems.

Indicator of Compromise :

  • [MD5] 60A53D2C653991F086C4E6663D652CF2
  • [SHA1] 636814C31B78DD291049029A655238D7ADAFF041
  • [SHA256] BE1D0FAF1C253FAACBA1059971B01D1D646256D7B2E557DA55ED059542AFDBCD
  • [IP Address] 62.113.114.117
  • [URL] hxxp://62.113.114[.]117/api/texts/{computer_name}_{username}_{serial_number}

Full Story: https://securelist.com/goffee-apt-new-attacks/116139/

Views: 27

Tags: APT, PRIVILEGE, PAYLOAD, EMAIL, WORM, TOOL, RUSSIA, GOVERNMENT