In a revealing investigation, cybersecurity experts from Eset have made significant strides in tracking a previously undetected threat actor believed to be associated with Chinese state-sponsored hacking. The researchers stumbled upon a rather careless hacking group after finding that sensitive command and control credentials had been hard coded within several backdoors. This discovery has raised alarms regarding security protocols and vulnerabilities that such threat actors can exploit.

The group, which Eset has aptly named GopherWhisper, has employed widely used platforms like Slack, Discord, and Microsoft Office accounts to orchestrate control over their backdoors, all of which were developed using the Go programming language. The researchers’ investigation began when they examined an infection case involving an undisclosed Mongolian government agency, indicating that this campaign has been ongoing since approximately August 2024.

Intriguingly, the same Slack and Discord servers used for command and control operations were among the initial systems to exhibit infections during preliminary tests. However, in a significant oversight, the hackers neglected to erase the logs from these platforms. This lapse allowed Eset to gather crucial information not only about the activities undertaken by the attackers post-compromise but also insights into their operational environment. The hackers unwittingly uploaded files from their testing systems, providing a wealth of data for the investigators.

During their exploration of a hacker-controlled Discord channel, Eset researchers also uncovered the source code for one of the custom backdoors, referred to as RatGopher. Furthermore, they identified GitHub repositories containing code for another backdoor named LaxGopher. In a clever nod to the Go programming language’s gopher mascot, Eset chose these distinctive names for the malware, illustrating the researchers’ ingenuity as they navigated the complexities of the cyber landscape.

According to Eset malware researcher Eric Howard, the hackers likely chose Slack and Discord for command and control to obscure their malicious communication within layers of legitimate network traffic typically associated with high-volume usage. The use of Microsoft Office for command and control, along with file.io for exfiltration, further demonstrates the sophistication of these operations, blending legitimate tools with nefarious objectives.

This development emerges amidst a broader context of cyber threats posed by Chinese espionage groups, such as Volt Typhoon and Brickstorm, which have aggressively targeted governments and critical infrastructure through stealthy and enduring campaigns. Although GopherWhisper shares some of these stealthy characteristics, Eset has noted that it bears no resemblance to any previously documented Chinese threat actor in terms of code, tactics, techniques, or targeting, suggesting a distinct operational approach.

Researchers assert their confidence in the Chinese origins of this hacking group, citing the usage of the locale setting in Slack metadata to zh-CN, indicating a connection to China. Additionally, communication patterns observed during their probe suggest that the hackers operated primarily during standard business hours in the Chinese time zone.

The volume of messages recovered by the researchers, exceeding 9,000, illustrated an active operator utilizing a virtual machine based on VMware. Notably, this virtual machine was booted and set up during regular working hours in China, underscoring the methodical approach taken by the threat actors.

Among the discovered backdoors, RatGopher was notable for a rather bold initialization message broadcasted to a Discord channel stating, Hello, everyone!nI'm coming!. Another backdoor, whimsically named BoxOfFriends, also crafted in Go, would create a draft email in Microsoft Outlook to signal readiness to its operators. The backdoor cleverly employed different email addresses in the address field to correspond with various commands, with Seth912@outlook.com used to manage heartbeat intervals while Jared962@outlook.com was designated to break larger files into smaller, exfiltratable segments.

For those interested, a detailed list of indicators of compromise along with samples of GopherWhisper can be found on Eset’s dedicated GitHub repository. This research highlights not only the capabilities of threat actors but also the continuous need for vigilance and the evolution of cyber defense strategies in an increasingly complex digital landscape.