Analysis of Golang Payload and Information Theft Campaign

July 30, 2024, 4:32 p.m.

Description

The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the techniques used by the malware, including command execution, screen capturing, and data exfiltration via encrypted channels. The report also provides insights into the group's evolving tactics and expanding arsenal of attack tools.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247500125&idx=1&sn=8a897b185a54ec0ce5b068e83bee2eed&chksm=f9c1f254ceb67b4212694ff7499c24a64fd88be63beb7080e92ba851ea9be965e3c6ea6a701c&scene=178&cur_album_id=1955835290309230595
https://otx.alienvault.com/pulse/66a911650362a07dca30dc7f
Tags
malware
apt
espionage
pakistan
exfiltration
golang
2024-07-30
quasar
client.exe
winver.exe

Date

  • Created: July 30, 2024, 4:14 p.m.
  • Published: July 30, 2024, 4:14 p.m.
  • Modified: July 30, 2024, 4:32 p.m.

Indicators

  • 172.81.60.46
  • https://quranchapter.t-cdn.org/wp-includes/javascript/juicesdafekohioshfoshfhiofh/quran
  • https://espncrics.info/goaimdzfecbgrjjxdamdoo
  • https://daily-mashriq.org/goyxdrkhjilchyigflztv
  • http://172.81.60.46:1005
  • quranchapter.t-cdn.org
  • espncrics.info
  • daily-mashriq.org
Download all indicators here!

Attack Patterns

  • Client.exe
  • Winver.exe
  • APT-C-09 (Mozambique)
  • T1207
  • T1107
  • T1569.002
  • T1021.001
  • T1548.002
  • T1053.005
  • T1490
  • T1059.001
  • T1012
  • T1071.001
  • T1518.001
  • T1082
  • T1057
  • T1105
  • T1083
  • T1219
  • T1036
  • T1027
  • T1059

Additional Informations

  • Pakistan