Cybersecurity specialists from Mandiant have recently discovered a new, advanced espionage malware called GOVERSHELL, which has been linked to a China-affiliated threat actor designated as UTA0388. Additionally, this malware has emerged as an incredibly destructive arm in spear-phishing attacks. In fact, it is meant to appeal specifically to those living and working in North America, Asia, and Europe. GOVERSHELL comes in five different versions: HealthKick, TE32, TE64, WebSocket, and Beacon. With every variant, we’re seeing strong capabilities with respect to command execution and information theft.
This new malware, which is developed in Go programming language, is delivered via highly targeted and well-crafted phishing emails. These messages often trick victims into loading a Cloudflare CAPTCHA verification bypass page. After that, without their knowledge, they download a ZIP archive. Deep inside this archive is a very simple Windows shortcut file that triggers a PowerShell script. As it opens a decoy document, the script stealthily launches PlugX by using DLL side-loading techniques.
Variants and Capabilities of GOVERSHELL
GOVERSHELL’s five variants each possess unique features that enhance the malware’s operational versatility. For example, HealthKick is capable of executing commands through cmd.exe and TE32 executes commands using a PowerShell reverse shell. TE64 is specifically important for its dual native / dynamic command operating mode, which is implemented using PowerShell.
This WebSocket variant uses powershell.exe to run PowerShell commands, giving it the ability to do all sorts of malicious actions. The Beacon variant goes a little further. It lets you define a base polling interval and then define how you want polling to occur with features like randomization or executing the command directly.
Together, these variants describe how flexible GOVERSHELL is when moving laterally within a system. Its ability to restrict detection shapes it into a highly lethal weapon within UTA0388’s arsenal.
Phishing Tactics Employed by UTA0388
UTA0388 has shown great creativity in designing phishing campaigns that take advantage of social engineering techniques. The threat actor has employed various lures and fictional identities across multiple languages, including English, Chinese, Japanese, French, and German.
“The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations,” noted Volexity. This degree of specificity maximizes the chances of successful infiltration.
These phishing campaigns targeted specific individuals to lure them into clicking links. Not realizing that those links led them to a remotely hosted web archive loaded with malicious payloads. By utilizing platforms like Proton Mail, Microsoft Outlook, and Gmail for sending these emails, UTA0388 has further masked its activities within the realm of legitimate communications.
Abuse of Legitimate Services
Using services found on the web UTA0388 has taken express services such as Netlify, Sync and OneDrive to help stage archive files. This strategy proved instrumental in efficiently spreading GOVERSHELL. This tactic doesn’t just help in avoiding detection though, it helps give the deliverables a look of legitimacy.
Organizations are expanding their cybersecurity posture to combat growing cyber threats. At the same time, the tactics employed by UTA0388 highlight the ever-evolving difficulty that advanced persistent threats (APTs) pose. The automation of phishing content generation—possibly leveraging generative language models—has allowed UTA0388 to drastically increase their operations with minimal human intervention.
