Emergence of New China-Aligned APT Group GopherWhisper Targeting Mongolia
ESET Research has identified a novel advanced persistent threat group referred to as GopherWhisper, linked to China, which has been observed targeting governmental institutions in Mongolia. This group employs a wide range of tools developed primarily in Go, utilizing various injectors and loaders to maintain access and execute a variety of backdoors.
GopherWhisper is particularly notable for its use of legitimate communication platforms, including Discord, Slack, and Microsoft 365 Outlook, for command and control operations as well as data exfiltration. ESET’s analysis of multiple compromised systems yielded insights from extensive command and control traffic within these platforms, revealing operational patterns and specific tactics employed by the group. Key findings include the discovery of various malware tools such as LaxGopher, RatGopher, and CompactGopher, designed for specific functions like retrieving command messages and exfiltrating data.
The tools utilized by GopherWhisper exhibit distinctive characteristics. For instance, LaxGopher communicates using Slack and executes commands via a compromised instance of cmd.exe, while RatGopher employs Discord for similar tasks. The use of platforms like file.io indicates a sophisticated approach to data exfiltration. Additionally, the identified backdoors possess no links to known threat actors, suggesting that GopherWhisper operates independently using a unique and diversified malware ecosystem.
Defensive Context
Organizations, particularly within governmental sectors susceptible to cyber espionage, should monitor for signs of this group’s tactics and techniques, especially given GopherWhisper’s reliance on commonplace communication tools for their operations. Those not operating within critical sectors or lacking exposure to state-level threat actors may have lower urgency in addressing this group’s activities.
Why This Matters
The emergence of GopherWhisper underscores the expanding landscape of state-sponsored threats, especially those targeting governmental entities in strategically important regions. Mongolia’s geopolitical significance to China may increase the risk for its governmental institutions, making them prime targets for espionage.
Defender Considerations
Those responsible for security in exposed environments should consider logging and monitoring activities related to Slack, Discord, and Microsoft 365 applications, particularly during working hours align with UTC+8. Close attention should be paid to unauthorized commands or data transfers originating from within these platforms.
Indicators of Compromise (IOCs)
The article does not specify concrete IOCs such as IP addresses or file hashes. Additional details regarding indicators may be available in ESET’s forthcoming white paper, which will provide a more comprehensive examination of GopherWhisper’s toolset and operations.
