GO Stealer Malware Targeting Indian Air force – Cyber Espionage Campaign

    Friday, September 6, 2024 In: Threat Research Print

    Date: 09/06/2024

    Severity: Medium

    Summary

    GO Stealer malware is being used in a cyber espionage campaign targeting the Indian Air Force. This sophisticated malware is designed to steal sensitive data and intelligence, specifically aimed at compromising military operations and sensitive information within the Indian Air Force. The campaign highlights the growing threat of targeted attacks on defense organizations.

    Indicators of Compromise (IOC) List

    URL/Domain

    Doge-Gabh

    Filename

    ‘vujdkda.txt’

    command line argument

    '\code_tunnel.json'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "Doge-Gabh" or url like "Doge-Gabh"

    Detection Query 2

    Resourcesname like "Sysmon" and eventtype like "11" and TargetFilename like "vujdkda.txt" 

    Detection Query 3

    Technologygroup = "EDR" and eventtype like "11" and TargetFilename like "vujdkda.txt" 

    Detection Query 4

    (resourcename in ("Windows Security" ) AND eventtype = "4688"  ) AND commandline like "cmd.exe /c start /B .temp\tmp.exe & .temp\sample.pdf"

    Detection Query 5

    (Technologygroup = "EDR" ) AND commandline like "cmd.exe /c start /B .temp\tmp.exe & .temp\sample.pdf"

    Reference:

    https://gurucul.com/blog/go-stealer-malware-targeting-indian-air-force-cyber-espionage-campaign/#infection-sequence


    Tags

    GuruculMalwareData StealerCyberEspionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.