GOFFEE Advanced Persistent Threat

The GOFFEE APT group is a sophisticated cyber-espionage entity that has been active since early 2022, focusing primarily on organizations within the Russian Federation. Its operations target sectors critical to national infrastructure, including media and telecommunications, construction, government entities, and energy companies. GOFFEE is known for its advanced malware arsenal, innovative infection techniques, and its ability to adapt to changing cybersecurity defenses.

Key Characteristics of GOFFEE APT

1. Infection Techniques

GOFFEE employs a diverse range of infection methods designed to infiltrate systems and establish persistence:

• Spear-Phishing Campaigns:
• The group sends highly targeted phishing emails containing malicious attachments. These attachments often use deceptive file names, such as .pdf.exe or .doc.exe, disguising malicious executables as harmless documents.
• Another variant involves Microsoft Office documents embedded with VBA macros. When users enable macros, the documents drop and execute malicious payloads onto the target system.
• Removable Media (USB Worms):
• GOFFEE utilizes USB-based worms to spread malware. These worms hide legitimate files and replace them with similarly named malicious icons that launch malware when clicked.
• By targeting removable storage devices, the group ensures its malware can propagate across air-gapped systems.

2. Malware Arsenal

GOFFEE has developed and employed an extensive suite of custom tools to achieve its objectives:

• PowerModul:
• A flagship tool of the GOFFEE group, PowerModul is a stealthy implant written in PowerShell.
• Features:
  • Downloads and executes additional malware.
  • Communicates with command-and-control (C2) servers.
  • Incorporates OfflineWorker, which exfiltrates files from USB devices without needing an internet connection.
• Adaptability:
  • PowerModul is specifically designed to evade endpoint detection systems by leveraging obfuscated scripts and PowerShell commands.
• FlashFileGrabber:
• A malware tool targeting removable media, FlashFileGrabber scans infected systems for over 40 file types, including .docx, .xls, and .pdf, and copies them for data exfiltration.
• PowerTaskel:
• A previously used Mythic agent written in PowerShell, PowerTaskel performs reconnaissance and enables arbitrary script execution. It has since been replaced by more sophisticated tools in GOFFEE’s arsenal.
• Binary Mythic Agent:
• Delivered via HTA (HTML Application) files launched by the mshta.exe process. This tool supersedes PowerTaskel and is deployed in phishing campaigns to gather intelligence.

3. Persistence Methods

GOFFEE uses multiple techniques to maintain long-term access to compromised systems:

• Registry-Based Persistence:
• Malicious HTA files are written to the Windows registry, allowing them to execute whenever the system restarts.
• Obfuscation:
• Payloads are encoded using Base64 and stored in inconspicuous files, such as UserCache.ini, to evade detection.

Targeted Sectors

The GOFFEE APT group strategically focuses on high-value sectors within Russia, including:

• Media and Telecommunications:
• Likely aimed at controlling information flow or disrupting the spread of sensitive data.
• Construction:
• Potential espionage targeting infrastructure projects of national importance.
• Government Entities:
• To gather intelligence or manipulate operational processes.
• Energy Companies:
• These attacks could disrupt critical energy infrastructure or gain insight into sensitive energy projects.

Evolution of GOFFEE’s Operations

Recent Developments

• In 2024, GOFFEE shifted its tactics, introducing the PowerModul implant to replace older tools like PowerTaskel.
• Infection schemes now involve advanced payload layering, leveraging JavaScript and encoded scripts for stealthy execution.

Indicators of Attack

GOFFEE’s activities are marked by:

1. Unusual system behavior, such as registry modifications tied to malicious HTA files.
2. Evidence of removable media targeting, including infected USB drives or files hidden by worms.
3. Encoded payloads stored in files that appear benign.

Impact of GOFFEE’s Campaigns

1. Data Exfiltration

GOFFEE’s tools are explicitly designed to extract sensitive data from systems, including:

• Proprietary information.
• Project files from construction or energy companies.
• Government documents and intelligence.

2. Operational Disruption

The group’s malware can disrupt system operations, resulting in downtime for critical infrastructure.

3. Intelligence Gathering

The targeting of government and media entities suggests a focus on political or strategic espionage, potentially influencing decision-making processes.

Mitigation Strategies

1. Strengthen Email Security

• Deploy advanced email filtering systems capable of detecting spear-phishing campaigns.
• Train employees to recognize suspicious emails and attachments, particularly those requesting the enabling of macros.

2. Secure Removable Media

• Restrict the use of USB drives in critical systems.
• Use endpoint protection solutions to detect and block USB worms.

3. Regular Software Patching

• Update operating systems and software to mitigate vulnerabilities exploited by GOFFEE.

4. Threat Hunting

• Actively monitor for indicators of compromise, such as:
• Malicious registry entries.
• Base64-encoded scripts.
• HTA files linked to mshta.exe.
• Use intrusion detection systems (IDS) to identify abnormal activity tied to malware tools like PowerModul.

5. Enhance Endpoint Protection

• Deploy advanced endpoint security solutions capable of identifying stealthy implants and blocking PowerShell-based attacks.

Lessons Learned

Persistence Requires Robust Defense:

• GOFFEE’s use of registry modifications and obfuscation demonstrates the importance of comprehensive monitoring systems.

Proactive Cybersecurity:

• Organizations must adopt a defense-in-depth approach, combining real-time monitoring with regular software patching.

Employee Awareness:

• Training employees to identify phishing attempts can significantly reduce the success rate of GOFFEE’s infection campaigns.

Final Thoughts

The GOFFEE APT group is a highly adaptable and sophisticated entity capable of disrupting operations, exfiltrating data, and maintaining persistent access in targeted environments. By deploying advanced tools like PowerModul and FlashFileGrabber, GOFFEE demonstrates the capability to evolve its tactics and bypass modern defenses. Organizations in Russia’s critical infrastructure sectors must prioritize robust security measures to mitigate the risks posed by this persistent threat.