In the ever-evolving landscape of cyber threats, a recent incident caught the attention of security experts and government agencies alike. Unidentified cyber attackers attempted to breach the internal computer systems of the Indian Air Force (IAF), aiming to steal sensitive data. The attack leveraged a variant of the Go Stealer malware, which was developed using Google’s open-source programming language Go (Golang).
The details of this cyber-espionage attempt, analyze the attack vector, and discuss the implications for national security.
The threat actor skillfully employed a deceptive PDF document to carry out their malicious intentions. This PDF was designed to appear innocuous, masquerading as an official invitation letter purportedly sent by the Indian Air Force (IAF).
The choice of a decoy PDF was strategic, as it is a common file format that recipients might expect to receive in official communications.
The decoy PDF was not directly delivered to the recipients. Instead, it was concealed within an ISO file. An ISO file is essentially a digital archive that contains an exact copy of an optical disk (such as a CD or DVD).
The ISO file acted as a container for the malware, providing a layer of obfuscation. Unsuspecting recipients would not immediately recognize the presence of malicious content within the seemingly harmless ISO file.
Inside the ISO file, alongside the decoy PDF, lay the actual malware. This malware was coded to be executable, meaning it could run and perform specific actions on the recipient’s system.
When the recipient extracted the contents of the ISO file, the malware was unleashed. Its purpose was to infiltrate the victim’s computer, gather sensitive information, and potentially compromise security.
To further deceive recipients, the threat actor included a shortcut file (commonly known as an LNK file) within the ISO package.
LNK files are typically used to create convenient shortcuts to programs or files. In this case, the LNK file was maliciously crafted to appear harmless.
When recipients unwittingly activated the LNK file (for instance, by clicking on it), they inadvertently triggered the execution of the malware.
The combination of the decoy PDF, ISO file, and LNK file created a multi-layered attack vector, making detection and prevention more challenging.
Upon meticulously examining the function graph within this binary, we come across a particularly intriguing function. This prompts us to delve deeper into the intricacies of “Create_tempfile” operations. Let’s embark on a detailed exploration to unravel the mechanics behind this function and ascertain the nature of its return value.
The function in question initiates by establishing or accessing a temporary directory. Subsequently, it proceeds to generate a text document titled ‘vujdkda.txt’. Upon successful creation, the function concludes by providing information pertaining to the file.
The subsequent function that captures our attention is termed ‘unhook_dll’. It beckons us to delve into its structure to comprehend its functionality and the return value it yields. Let’s proceed to dissect the ‘unhook_dll’ function to uncover its operational dynamics and the nature of the output it generates.
In this particular function, it’s evident that the dynamic link libraries (DLLs) ntdll, kernel32.dll, and kernelbase.dll are being compiled into an array or slice. This array is then utilized by a function named FullUnhook.
Further investigation into the FullUnhook function, specifically within the github_com_timwhitez_Doge_Gabh_pkg_Gabh_FullUnhook pathway, reveals that it accepts the aforementioned DLL array as its argument. A cursory search on GitHub leads us to the repository Doge-Gabh, which is a compilation of various red-team technique proofs of concept. Among these techniques, the code in question employs DLL Unhooking as a means to circumvent userland API hooking. Consequently, it can be deduced that the primary operation of this function is to execute DLL Unhooking.
The ‘firefox_stealer’ function is a component of a credential stealer malware that targets browsers like Firefox. It operates by extracting and decrypting credentials stored within the browser and then exfiltrating this sensitive information to an attacker’s server. This function is typically part of a larger malicious campaign and is used for cyber espionage or identity theft purposes.
The function you’ve described, FireFoxStealCookies, appears to be part of a malicious software designed to compromise the security of the Firefox browser. It operates by enumerating the profiles folder using the APPDATA environment variable to locate the path, then proceeds to extract cookies from the SQLite database located in the cookies directory.
The Firefox_cookiestealer function, which could not be found in my search, seems to be responsible for cracking passwords. The LoadLoginsData function is likely used to load login data from Firefox, converting JSON data into an array format using the Unmarshal function in Go.
For the decryption process, the code employs 3DES (Triple Data Encryption Standard), which requires a key, an initialization vector (IV), and the ciphertext as inputs to return the plaintext, effectively decrypting the username and password.
It’s important to note that the use of such functions for unauthorized access to data is illegal and unethical. If you’re dealing with security research or ethical hacking, ensure that all activities are conducted within legal boundaries and with proper authorization.
Here’s a simplified representation of the process in pseudocode:
** This pseudocode is for educational purposes only and should not be used for malicious intent.
The plaintext data is subjected to an XOR (exclusive or) operation, which is a common technique in cryptography for encoding and decoding information. This operation typically uses a key to toggle the bits in the plaintext, transforming it into ciphertext or vice versa.
The function you’re referring to likely utilizes an open-source Go (Golang) version of psutil, a cross-platform library for retrieving information on running processes and system utilization in Python.
The Chrome browser is also targeted by a similar function to the one described for Firefox, known as a “cookie stealer.” This function operates by accessing the Chrome browser’s cookie database, extracting the cookies, and potentially decrypting login data.
Upon the unauthorized acquisition of credentials, the individual responsible for this act proceeds to utilize the Slack package’s file uploading feature to disseminate the content. Let’s delve into the mechanics of this particular function.
To begin with, the function establishes the channel ID configuration, which is essential for directing the intended files into a specified Slack channel.
Subsequently, it constructs the parameters structure, embedding information about the channel and the specifics of the file.
Following the preliminary configuration of various structures and contexts, it forwards the params.File.str to an additional function named slack_fileupload. We shall proceed to examine this function in detail.
This function initiates a new token using the New method provided by the Slack package. It then leverages this newly generated token to execute the file upload to the designated channel.
The concluding function employs the token_initialization_file_upload function alongside the process of rectifying file names. This enables the uploading of files to the Slack Command and Control (C2) server by utilizing the capabilities of the Slack bot.
In conclusion, the Go Stealer malware serves as a stark reminder that even the most secure systems are vulnerable. As technology advances, so do the tactics of cyber adversaries. Vigilance, education, and collaboration remain our best defenses in this digital battlefield.
Tactic | Technique | ID | GRA Detection |
Execution | User-Execution – Malicious File | T1204.002 | 0 |
Defense Evasion | Defense Evasion – Disable or Modify Tools | T1562.001 | 0 |
Credential Access | Credential Access – Credentials from Web Browser | T1555.003 | 8 |
Impact
| Service Stop | T1489 | 3 |
Command and Control | Command and Control – Encrypted channel | T1573.001 | 0 |
Discovery | File and Directory Discovery | T1083 | 0 |
Command and Control | Command and Control – Web Service | T1102 | 0 |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.