What is Arid Gopher?
Arid Gopher is a novel variant of the Micropsia malware family written in the Go programming language that was discovered by Deep Instinct Research in March of 2022.
Where did it come from?
The Micropsia malware family was developed by the group known as APT-C-23 or Arid Viper. The malware mostly targeted the Middle East, specifically Palestinian targets. Arid Viper also developed an Android version that focused on Israeli targets, and the group was found to be associated with the Hamas terrorist organization.
Arid Gopher has been observed to use many of the same fingerprints as Arid Viper, such as references to popular TV shows and the same C2 framework, Laravel. As such, it appears to be associated with the same group.
What does it do?
Arid Gopher, like its predecessor Micropsia, is an info-stealer malware, whose intent is to establish a foothold, collect sensitive system information, and send it back to a C2 (Command & Control) network. It uses several social engineering tricks to entice the user to run the malware:
- Uses the Microsoft Word icon
- Uses a very long file name to hide the .exe extension
- Writes a benign decoy file to a specific folder and presents it to the victim
The Deep Instinct Prevention platform helps protect organizations against this and other unknown attacks without the need for constant updates and cloud intelligence because of the superiority of the Deep Learning static analysis engine. Both known and unknown threats are prevented in <20ms with a false positive rate of <0.1%.