GopherWhisper: A burrow full of malware

Key Takeaways

• ESET discovered GopherWhisper, a new China-aligned APT group targeting a Mongolian governmental entity.
• The group uses a custom toolset primarily written in Go, including backdoors like LaxGopher, RatGopher, and BoxOfFriends.
• GopherWhisper heavily abuses legitimate services for C&C and exfiltration, including Slack, Discord, Microsoft 365 Outlook, and file.io.
• Analysis of C&C messages revealed operational hours aligning with the UTC+8 time zone (China Standard Time).

Affected Systems

• Windows

Attack Chain

The GopherWhisper attack chain begins with loaders and injectors like JabGopher and FriendDelivery, which deploy backdoors into memory, such as injecting LaxGopher into svchost.exe. Once active, backdoors like LaxGopher, RatGopher, and BoxOfFriends establish C&C communication by abusing legitimate APIs from Slack, Discord, and Microsoft Graph (Outlook). The attackers then perform disk and file enumeration, eventually deploying CompactGopher to compress sensitive files and exfiltrate them to the file.io service.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide inline detection rules, but notes that a comprehensive list of IoCs can be found in ESET's full white paper and associated GitHub repository.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions are well-equipped to detect DLL injection into svchost.exe, unusual child processes spawned by svchost.exe (like cmd.exe), and suspicious network connections originating from injected processes. Network Visibility: Medium — While the C&C traffic uses legitimate domains (Slack, Discord, Outlook, file.io) and is encrypted (HTTPS/port 443), the volume, timing, and specific API endpoints accessed by non-browser processes can be profiled as anomalous. Detection Difficulty: Moderate — The heavy reliance on legitimate web services for C&C blends in with normal enterprise traffic, making network-based detection difficult. However, the endpoint process behaviors (injection, cmd.exe execution from injected processes) are highly anomalous and easier to detect.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• Image Load (Sysmon 7)
• Process Access (Sysmon 10)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for svchost.exe spawning cmd.exe or other command shells, which may indicate LaxGopher execution.	Process Creation (Event ID 4688 / Sysmon 1)	Execution	Low
Search for unusual processes (non-browsers, non-standard communication tools) making persistent HTTPS connections to Slack, Discord, or Microsoft Graph APIs.	Network Connections (Sysmon 3)	Command and Control	Medium
Identify the creation or loading of a DLL named whisper.dll in unexpected directories.	Image Load (Sysmon 7) / File Creation (Sysmon 11)	Defense Evasion	Low
Monitor for automated, script-driven uploads to file.io originating from endpoints rather than user browsers, potentially involving a file named Temp001.exe.	Network Connections (Sysmon 3) / File Creation (Sysmon 11)	Exfiltration	Low

Control Gaps

• Network filtering based solely on domain reputation, as the attackers exclusively abuse highly reputable cloud services.

Key Behavioral Indicators

• svchost.exe executing cmd.exe
• Unsigned or unusual processes communicating with Discord/Slack/Outlook APIs
• Creation of Temp001.exe followed by network connections to file.io

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block access to file.io at the network perimeter if it is not required for business operations.
• Search endpoint telemetry for the presence of whisper.dll or Temp001.exe.

Infrastructure Hardening

• Implement strict application control to prevent unauthorized Go-based executables from running.
• Restrict access to consumer messaging platforms (Discord, Slack) on critical government or enterprise systems if they are not officially sanctioned.

User Protection

• Deploy and configure EDR solutions to aggressively block process injection into core system processes like svchost.exe.

Security Awareness

• Educate SOC analysts on the risks of threat actors abusing legitimate cloud services (Living off the Cloud) for C&C and exfiltration, emphasizing behavioral endpoint monitoring over domain reputation.

MITRE ATT&CK Mapping

• T1055.001 - Dynamic-link Library Injection
• T1071.001 - Web Protocols
• T1102.002 - Bidirectional Communication
• T1567.002 - Exfiltration to Cloud Storage
• T1059.003 - Windows Command Shell
• T1574.002 - DLL Side-Loading

Additional IOCs

• Urls:
  • hxxps://github[.]com/kardianos/service - GitHub repository referenced by operators for Go service daemon implementation.
  • hxxps://github[.]com/NHAS/stab - GitHub repository referenced by operators for Go local and remote process injections.
  • hxxps://github[.]com/kirinlabs/utils - GitHub repository referenced by operators for Go encryption and compression utilities.
  • hxxps://github[.]com/wumansgy/goEncrypt - GitHub repository referenced by operators for Go encryption methods.
• Command Lines:
  • Purpose: Execute arbitrary commands received from the Slack C&C server | Tools: cmd.exe, LaxGopher | Stage: Execution | cmd.exe
• Other:
  • svchost.exe - Legitimate Windows process targeted for memory injection by the JabGopher tool.