Full Report
Kaspersky researchers analyze GOFFEE’s campaign in H2 2024: the updated infection scheme, new PowerModul implant, switch to a binary Mythic agent.
Analysis Summary
# Threat Actor: GOFFEE
## Attribution & Identity
**Identification:** GOFFEE is an established threat actor first observed in early 2022.
**Attribution:** The report strongly implies activity originating from or targeting the Russian Federation exclusively, although explicit external attribution is not provided.
**Aliases/Associated Groups:** No other specific aliases or associated threat groups are mentioned in this excerpt.
## Activity Summary
GOFFEE conducts targeted attacks exclusively against entities located within the Russian Federation.
* **Historical Activity:** Initially observed in early 2022. Deployed a modified Owowa (malicious IIS module) between May 2022 and summer 2023.
* **Recent/Observed Activity (2024):**
* Switched to deploying patched malicious instances of `explorer.exe` via spear phishing.
* Utilized PowerTaskel (a non-public Mythic agent written in PowerShell).
* Introduced a new implant dubbed "PowerModul."
* Showed an increasing abandonment of PowerTaskel in favor of a binary Mythic agent for lateral movement.
## Tactics, Techniques & Procedures
The primary initial access vector is spear phishing emails containing malicious attachments.
* **Initial Access (Execution Flow v1):** Spear phishing leading to a RAR archive. The archive contains an executable masquerading as a document (sometimes using double extensions like `.pdf.exe`). Upon execution, a decoy document is downloaded/opened while malicious code runs in parallel. The executable itself is a patched Windows system file (`explorer.exe` or `xpsrchvw.exe`) containing shellcode that deploys an obfuscated Mythic agent.
* **Initial Access (Execution Flow v2):** Spear phishing leading to a Microsoft Office document utilizing a malicious macro.
* The macro prompts the user to enable content, which triggers the payload execution.
* The macro creates two files (`.hta` and a PowerShell file) and writes the HTA path to the registry under: `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows` using the `LOAD` value, ensuring automatic execution upon user login.
* The HTA executes `cmd.exe` to drop a JavaScript file (`UserCacheHelper.lnk.js`) via output redirection, which then executes an encoded PowerShell script named "UserCache.ini" containing the **PowerModul** implant.
* **Lateral Movement:** Increasing shift toward using a binary Mythic agent.
* **MITRE ATT&CK IDs:** Not explicitly listed in the provided text.
## Targeting
* **Sectors:** Media and telecommunications, construction, government entities, and energy companies.
* **Geography:** Exclusively organizations located in the Russian Federation.
* **Victims:** General organizational sectors within Russia; no specific organization names were provided.
## Tools & Infrastructure
* **Malware Families Used:**
* Owowa (modified malicious IIS module, legacy)
* PowerTaskel (PowerShell-based Mythic agent, being deprecated)
* PowerModul (New, undescribed implant)
* Mythic agent (binary version used for persistence/lateral movement)
* **Infrastructure:** Command-and-Control (C2) server for delivery of decoy documents and receiving initial agent check-ins. (Specific IPs/domains were not provided and thus cannot be defanged.)
## Implications
GOFFEE demonstrates adaptability by continuously updating its infection schemes (moving from IIS modules to patched binaries to complex macro/HTA/JS chains). The adoption of PowerModul and the refinement toward using a binary Mythic agent suggest a move towards more stealthy or robust post-exploitation capabilities, particularly for lateral movement within the targeted Russian networks.
## Mitigations
* Monitor for spear-phishing delivery associated with RAR/document attachments.
* Implement advanced detection for patched Windows binaries being executed, especially `explorer.exe`.
* Block the execution of chained HTA/PowerShell/JavaScript payloads originating from Office macros.
* Monitor registry additions to `HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows` "LOAD" keys for suspicious HTA or script registrations.
* Specifically monitor for the introduction and execution of the PowerModul implant and communication patterns associated with the Mythic C2 framework.