Back

GopherWhisper APT Targets Mongolia Using Cloud Tools for Espionage

Severity: High (Score: 60.0)

Sources: blog.google, Darkreading, www.recordedfuture.com, Feeds2.Feedburner, securelist.com

Summary

The Chinese APT group known as GopherWhisper has been identified as targeting the Mongolian government using multiple cloud-based tools for espionage. Active since November 2023, the group has backdoored at least 12 systems within a Mongolian governmental entity, with indications that dozens more may be affected. ESET researchers discovered various backdoors, including LaxGopher, JabGopher, CompactGopher, RatGopher, BoxOfFriends, and SSLORDoor, each utilizing different command-and-control (C2) methods. These methods include leveraging Slack, Discord, Microsoft Outlook, and file.io for data exfiltration and communication. The sophistication of GopherWhisper's attacks is considered low, as they rely on a variety of less advanced tools rather than a single sophisticated exploit. The ongoing investigation highlights the group's unique focus on a region not typically targeted by other APTs. Current assessments suggest that while the group is active, the threat level remains moderate due to the lack of advanced attack techniques. Key Points: • GopherWhisper APT has targeted Mongolian government systems since late 2023. • The group uses multiple cloud services for command-and-control operations. • At least 12 systems have been compromised, with potential for more victims.

Key Entities

  • Apt27 (apt_group)
  • Apt29 (apt_group)
  • BlueAlpha (apt_group)
  • Emissary Panda (apt_group)
  • EmissaryPanda (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • RedDelta Campaign (campaign)
  • Australia (country)
  • Belarus (country)
  • Brazil (country)
  • Cambodia (country)
  • Ethiopia (country)
  • CVE-2017-11882 (cve)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • kaspersky.com (domain)
  • Government (industry)
  • Bisonal (malware)
  • BoxOfFriends (malware)
  • Byeby (malware)
  • CompactGopher (malware)
  • Enfal Trojan (malware)
  • 04dece2662f648f619d9c0377a7ba7c0 (md5)
  • 0D0320878946A73749111E6C94BF1525 (md5)
  • 22CBE2B0F1EF3F2B18B4C5AED6D7BB79 (md5)
  • ac337bd5f6f18b8fe009e45d65a2b09b (md5)
  • T1021 - Remote Services (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071.001 - Web Protocols (mitre_attack)
  • Microsoft Azure (company)
  • Cloudflare (company)
  • file.io (company)
  • Outlook (company)
  • Microsoft Word (platform)
  • MikroTik (platform)
  • Symantec PcAnywhere (platform)
  • Windows (platform)
  • Discord (platform)
  • 92de0a807cfb1a332aa0d886a6981e7dee16d621 (sha1)
  • 9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0 (sha1)
  • bf9ef96b9dc8bdbc6996491d8167a8e1e63283fe (sha1)
  • Metasploit (tool)
  • PcAnywhere (tool)
  • RoyalRoad (tool)
  • ChimayRed (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed