Elastic Security Labs reveals new GOSAR backdoor threat
Elastic Security Labs has revealed a new malware family known as GOSAR, a Golang-based rewrite of the QUASAR backdoor, in development and targeting Chinese-speaking victims.
The GOSAR backdoor is deployed via a custom loader dubbed SADBRIDGE. This malware employs DLL side-loading and process injection techniques to bypass security mechanisms, making it a formidable tool with multi-OS support and improved evasion capabilities. The target audience for these threats appears to be Chinese-speaking regions, with criminals utilising sophisticated methods to disguise their activities.
Elastic Security Labs monitors an ongoing cyber campaign tracked as REF3864, in which adversaries ostensibly offer legitimate software, such as web browsers or social messaging applications, as a cover for distributing malware. The perpetrators have shown adaptability, achieving malware penetration across platforms including Linux, Windows, and Android. Elastic's discovery introduces SADBRIDGE as a unique Windows infection chain, packaging the newly rewritten GOSAR malware.
The certificate-loaded samples observed, appearing under reputable banners like Telegram and Opera GX, were extracted from VirusTotal. They exhibited low detection while employing techniques like DLL side-loading and employing a loader mechanism. This double-deployment allows an MSI installer to deliver GOSAR by loading harmful Dynamic-Link Libraries (DLLs) in place of benign ones.
Upon investigation, malicious files were identified, indicating the adversaries designed them to appear legitimate while deploying a trojanized DLL. These files, once placed on a system, initiate the infection process through deceptive methods like system service tasks to ensure persistence.
The malware's infrastructure often parades under respected service banners to conduct distribution operations discreetly. Customisation efforts indicate a specific focus on bypassing Chinese antivirus tools and tailoring firewall rules with Chinese descriptors.
GOSAR extends its predecessor's capabilities, offering more advanced information-gathering features and evasion techniques. Its capabilities, such as multi-platform adaptability and conducting persistent activities without being spotted easily, signal a new level of threat complexity, especially with the absence of concrete motivation and goal documentation from the attackers' side.
The SADBRIDGE loading mechanism is wrapped as an MSI executable and operates through DLL side-loading. SADBRIDGE manipulates legitimate programs like x64dbg.exe to load harmful software in disguised formats, thereby executing malicious payloads through sophisticated program bridges and registry modifications.
Privileged escalation mechanisms involve silently achieving administrator level through COM interface loopholes; the malware can elevate privileges to SYSTEM-level using task scheduling exploits.
Subsequent SADBRIDGE stages involve encryption and decryption techniques that mask endpoint activities. These approaches involve masking the PEB and redirecting command lines to disguise program origins. Critically, the malware's evasion tactics include disabling Windows defense mechanisms through API patching techniques, avoiding detection by antivirus scans.
GOSAR, being a Golang adaptation, retains system control through malicious hooks and extends its reach to keylogging and clipboard monitoring across infected systems. Log decryption showcases GOSAR's advanced communication through tcp TLS and demonstrates its methodical adaptability to bypass existing digital security systems.
While the GOSAR backdoor remains under development, Elastic Security Labs warns of its ability to execute commands, transfer files, and harness plugins for extended remote operations. Although aligned with previous versions in terms of network protocol, its seamless operational execution signifies potential dangers to affected systems.
Misinformation through DNS manipulation and firewall rule adjustment further exemplify GOSAR's threat potential. The malware's asynchronous procedural calls target processes like svchost.exe and dllhost.exe to execute payloads discreetly, showcasing its novel injection pathways designed for evasion.
Elastic Security has published YARA rules as part of its detection toolkit to help organisations safeguard their systems from GOSAR and SADBRIDGE-related threats. The rules aim to detect anomalous activities and prevent adversaries from exploiting system vulnerabilities.