Threat Research

GO Stealer Malware Targeting Indian Air force – Cyber Espionage Campaign

In the ever-evolving landscape of cyber threats, a recent incident caught the attention of security experts and government agencies alike. Unidentified cyber attackers attempted to breach the internal computer systems of the Indian Air Force (IAF), aiming to steal sensitive data. The attack leveraged a variant of the Go Stealer malware, which was developed using Google’s open-source programming language Go (Golang).

The details of this cyber-espionage attempt, analyze the attack vector, and discuss the implications for national security.

Background and Origin:

  • Go Stealer is a type of information-stealing malware that specifically targets web browsers, including Firefox and Google Chrome.
  • It is based on Golang, a powerful and versatile programming language created by Google.

Attack Vector and Bait:

  • The threat actors behind this attack exploited the perceived eagerness among IAF personnel regarding the Su-30 MKI multirole fighter jets. These jets were ordered by the Indian government in September of the previous year.
  • The attackers engineered a remotely-controlled trojan attack by deploying a malicious payload disguised as a ZIP file titled “SU-30_Aircraft_Procurement.”
  • The ZIP file was hosted on an anonymous cloud storage.

Infection Sequence:

  • When a recipient downloaded and extracted the infected ZIP file, several files were revealed.
  • Among these files was a seemingly innocuous PDF file titled ‘Sample’. However, this PDF served as a distractor.
  • Simultaneously, the malicious program executed in the background, extracting sensitive login credentials.
  • The extraction occurred through team communication platform Slack, a widely used tool in organizations and companies.

Technical Details:

  • The sequence of infection progressed from the ZIP file to an ISO file(containing an exact copy of an optical disk).
  • Subsequently, an .lnk file (a Windows shortcut) was involved.
  • Ultimately, the stealer malware was deployed, capturing critical information.
  • Golang has become a favored choice for cybercriminals due to its efficiency and versatility.
  • Go Stealer’s developers describe it as a “cookie & logins stealer for Firefox + Chrome.”
  • The malware’s potency extends beyond these browsers, making it a formidable threat.

GO Stealer Malware GO Stealer Malware

 

The threat actor skillfully employed a deceptive PDF document to carry out their malicious intentions. This PDF was designed to appear innocuous, masquerading as an official invitation letter purportedly sent by the Indian Air Force (IAF).

The choice of a decoy PDF was strategic, as it is a common file format that recipients might expect to receive in official communications.

The decoy PDF was not directly delivered to the recipients. Instead, it was concealed within an ISO file. An ISO file is essentially a digital archive that contains an exact copy of an optical disk (such as a CD or DVD).

The ISO file acted as a container for the malware, providing a layer of obfuscation. Unsuspecting recipients would not immediately recognize the presence of malicious content within the seemingly harmless ISO file.

Inside the ISO file, alongside the decoy PDF, lay the actual malware. This malware was coded to be executable, meaning it could run and perform specific actions on the recipient’s system.

When the recipient extracted the contents of the ISO file, the malware was unleashed. Its purpose was to infiltrate the victim’s computer, gather sensitive information, and potentially compromise security.

To further deceive recipients, the threat actor included a shortcut file (commonly known as an LNK file) within the ISO package.

LNK files are typically used to create convenient shortcuts to programs or files. In this case, the LNK file was maliciously crafted to appear harmless.

When recipients unwittingly activated the LNK file (for instance, by clicking on it), they inadvertently triggered the execution of the malware.

The combination of the decoy PDF, ISO file, and LNK file created a multi-layered attack vector, making detection and prevention more challenging.

GO Stealer Malware

Upon meticulously examining the function graph within this binary, we come across a particularly intriguing function. This prompts us to delve deeper into the intricacies of Create_tempfile operations. Let’s embark on a detailed exploration to unravel the mechanics behind this function and ascertain the nature of its return value.

GO Stealer Malware

The function in question initiates by establishing or accessing a temporary directory. Subsequently, it proceeds to generate a text document titled vujdkda.txt. Upon successful creation, the function concludes by providing information pertaining to the file.

GO Stealer Malware

The subsequent function that captures our attention is termed ‘unhook_dll’. It beckons us to delve into its structure to comprehend its functionality and the return value it yields. Let’s proceed to dissect the ‘unhook_dll’ function to uncover its operational dynamics and the nature of the output it generates.

GO Stealer Malware

In this particular function, it’s evident that the dynamic link libraries (DLLs) ntdll, kernel32.dll, and kernelbase.dll are being compiled into an array or slice. This array is then utilized by a function named FullUnhook.
GO Stealer Malware

Further investigation into the FullUnhook function, specifically within the github_com_timwhitez_Doge_Gabh_pkg_Gabh_FullUnhook pathway, reveals that it accepts the aforementioned DLL array as its argument. A cursory search on GitHub leads us to the repository Doge-Gabh, which is a compilation of various red-team technique proofs of concept. Among these techniques, the code in question employs DLL Unhooking as a means to circumvent userland API hooking. Consequently, it can be deduced that the primary operation of this function is to execute DLL Unhooking.

GO Stealer Malware

The ‘firefox_stealer’ function is a component of a credential stealer malware that targets browsers like Firefox. It operates by extracting and decrypting credentials stored within the browser and then exfiltrating this sensitive information to an attacker’s server. This function is typically part of a larger malicious campaign and is used for cyber espionage or identity theft purposes.

GO Stealer Malware

The function you’ve described, FireFoxStealCookies, appears to be part of a malicious software designed to compromise the security of the Firefox browser. It operates by enumerating the profiles folder using the APPDATA environment variable to locate the path, then proceeds to extract cookies from the SQLite database located in the cookies directory.

GO Stealer Malware

The Firefox_cookiestealer function, which could not be found in my search, seems to be responsible for cracking passwords. The LoadLoginsData function is likely used to load login data from Firefox, converting JSON data into an array format using the Unmarshal function in Go.

GO Stealer Malware
GO Stealer Malware

GO Stealer Malware

GO Stealer Malware

GO Stealer Malware

For the decryption process, the code employs 3DES (Triple Data Encryption Standard), which requires a key, an initialization vector (IV), and the ciphertext as inputs to return the plaintext, effectively decrypting the username and password.

It’s important to note that the use of such functions for unauthorized access to data is illegal and unethical. If you’re dealing with security research or ethical hacking, ensure that all activities are conducted within legal boundaries and with proper authorization.

Here’s a simplified representation of the process in pseudocode:

GO Stealer Malware

** This pseudocode is for educational purposes only and should not be used for malicious intent.

GO Stealer Malware

The plaintext data is subjected to an XOR (exclusive or) operation, which is a common technique in cryptography for encoding and decoding information. This operation typically uses a key to toggle the bits in the plaintext, transforming it into ciphertext or vice versa.

GO Stealer Malware

GO Stealer Malware

The function you’re referring to likely utilizes an open-source Go (Golang) version of psutil, a cross-platform library for retrieving information on running processes and system utilization in Python.

GO Stealer Malware

The Chrome browser is also targeted by a similar function to the one described for Firefox, known as a “cookie stealer.” This function operates by accessing the Chrome browser’s cookie database, extracting the cookies, and potentially decrypting login data.
GO Stealer Malware
Upon the unauthorized acquisition of credentials, the individual responsible for this act proceeds to utilize the Slack package’s file uploading feature to disseminate the content. Let’s delve into the mechanics of this particular function.

GO Stealer Malware

To begin with, the function establishes the channel ID configuration, which is essential for directing the intended files into a specified Slack channel.

Subsequently, it constructs the parameters structure, embedding information about the channel and the specifics of the file.

GO Stealer Malware

Following the preliminary configuration of various structures and contexts, it forwards the params.File.str to an additional function named slack_fileupload. We shall proceed to examine this function in detail.

GO Stealer Malware

This function initiates a new token using the New method provided by the Slack package. It then leverages this newly generated token to execute the file upload to the designated channel.

The concluding function employs the token_initialization_file_upload function alongside the process of rectifying file names. This enables the uploading of files to the Slack Command and Control (C2) server by utilizing the capabilities of the Slack bot.

Impact and Mitigation

  • Fortunately, the Indian Air Force did not suffer any data loss due to this attack. Robust security measures were in place.
  • However, this incident underscores the need for continuous vigilance and proactive defense against evolving cyber threats.
  • Organizations must stay informed about emerging malware variants and enhance their security protocols accordingly.

In conclusion, the Go Stealer malware serves as a stark reminder that even the most secure systems are vulnerable. As technology advances, so do the tactics of cyber adversaries. Vigilance, education, and collaboration remain our best defenses in this digital battlefield.

MITRE ATT&CK TACTICS AND TECHNIQUES Covered by GRA:

Tactic Technique ID GRA Detection
Execution User-Execution – Malicious File T1204.002 0
Defense Evasion Defense Evasion – Disable or Modify Tools T1562.001 0
Credential Access Credential Access – Credentials from Web Browser T1555.003 8
Impact

 

Service Stop T1489 3
Command and Control Command and Control – Encrypted channel T1573.001 0
Discovery File and Directory Discovery T1083 0
Command and Control Command and Control – Web Service T1102 0

 

About the Author:Rudra Pratap

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.