Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Zscaler ThreatLabz uncovered two campaigns – Gopher Strike and Sheet Attack run by a Pakistan linked APT group targeting Indian government organizations. The activity introduces Golang based tooling, including GOGITTER, GITSHELLPAD, and GOSHELL, to stage payloads, use private GitHub repositories for C2, and ultimately deploy a Cobalt Strike beacon. Initial access is achieved through spearphishing PDFs that lure victims into downloading malicious ISO files. The operators layer multiple evasion methods, including environment checks, file padding, and scheduled task persistence.
Investigation
Analysis showed GOGITTER validates the presence of a windows_api.vbs script, creates it if absent, and registers a scheduled task to run it every 50 minutes. GITSHELLPAD uses the GitHub REST API for command retrieval and data exfiltration, while GOSHELL conditionally loads a staged Cobalt Strike beacon only on selected hostnames. The tools embed hard coded URLs and user agent strings to hinder automated analysis and sandboxing. The campaigns also used private GitHub repositories to host supporting payloads such as adobe_update.zip.
Mitigation
Block execution of untrusted/unsigned Golang binaries and enforce strict allow-listing and review for scheduled task creation. Monitor outbound traffic to known malicious domains and to GitHub resources used as C2, including anomalous GitHub API usage from non developer endpoints. Strengthen email security by scanning PDF attachments for obfuscation and blocking links that redirect to ISO downloads. Endpoint detections should alert on creation of windows_api.vbs and periodic task execution patterns consistent with 50 minute intervals.
Response
If any IOCs are detected, isolate the endpoint, stop and remove the scheduled task, and delete associated malicious artifacts. Perform a forensic review of GitHub based C2 activity, preserve command execution logs, and remove any exfiltrated or uploaded content where possible. Reset credentials for affected accounts, hunt for lateral movement, and update detections with extracted indicators to identify related activity across the environment.
graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#b3e5fc classDef tool fill:#ffe0b2 classDef malware fill:#ffcccb classDef process fill:#d5f5e3 classDef operator fill:#ff9900 %% Nodes – Attack Steps step1_initial_access[“<b>Technique</b> – T1204.002 User Execution: Malicious File<br/><b>Description</b>: User runs a malicious file that was delivered via social engineering.<br/><b>Detail</b>: Spear‑phishing PDF masquerading as an Adobe Acrobat update, clicking a fake button downloads an ISO with the payload.”] class step1_initial_access technique step2_recon[“<b>Technique</b> – T1593.003 Search Open Websites/Domains: Code Repositories<br/><b>Description</b>: Adversary gathers information from public code‑hosting sites.<br/><b>Detail</b>: Threat actors create private GitHub repositories that later host C2 and payloads.”] class step2_recon technique step3_exec_vbscript[“<b>Technique</b> – T1059.005 Command and Scripting Interpreter: Visual Basic<br/><b>Description</b>: Executes Visual Basic scripts to run commands.<br/><b>Detail</b>: GOGITTER drops windows_api.vbs and runs it to retrieve further commands from a web server.”] class step3_exec_vbscript technique step4_exec_cmd[“<b>Technique</b> – T1059.003 Command and Scripting Interpreter: Windows Command Shell<br/><b>Description</b>: Uses native Windows command shell for execution.<br/><b>Detail</b>: GITSHELLPAD issues commands such as net user, systeminfo, tasklist, and curl.”] class step4_exec_cmd technique step5_persistence[“<b>Technique</b> – T1053.005 Scheduled Task/Job: Scheduled Task<br/><b>Description</b>: Creates a scheduled task to run malicious code on a recurring basis.<br/><b>Detail</b>: GOGITTER schedules a task named MicrosoftEdge_ConfigurationUpdate_<random> that runs the VBScript every 50 minutes.”] class step5_persistence technique step6_masquerade[“<b>Technique</b> – T1036.008 Masquerading: Masquerade File Type & T1036.007 Double File Extension<br/><b>Description</b>: Files are named to appear legitimate and hide their true type.<br/><b>Detail</b>: Dropped files named windows_api.vbs, adobe_update.zip, edgehost.exe.”] class step6_masquerade technique step7_obfuscation[“<b>Technique</b> – T1027.015 Obfuscated Files or Information: Compression<br/><b>Description</b>: Uses compression to hide malicious payloads.<br/><b>Detail</b>: Payloads packaged in ZIP/RAR archives hosted on the private GitHub repository.”] class step7_obfuscation technique step8_account_disc[“<b>Technique</b> – T1087.001 Account Discovery: Local Account<br/><b>Description</b>: Enumerates local user accounts on the system.<br/><b>Detail</b>: GITSHELLPAD runs \”net user\” to list accounts.”] class step8_account_disc technique step9_network_disc[“<b>Technique</b> – T1016.001 System Network Configuration Discovery: Internet Connection Discovery<br/><b>Description</b>: Checks for internet connectivity and reachable C2 endpoints.<br/><b>Detail</b>: Uses curl to test connectivity to attacker domains.”] class step9_network_disc technique step10_collection[“<b>Technique</b> – T1560.002 Archive Collected Data: Archive via Library<br/><b>Description</b>: Compresses collected data into archives for later use.<br/><b>Detail</b>: Post‑compromise tools delivered as ZIP/RAR archives.”] class step10_collection technique step11_c2[“<b>Technique</b> – T1102.001 Web Service: Dead Drop Resolver<br/><b>Description</b>: Communicates with command and control via a web service that acts as a dead‑drop.<br/><b>Detail</b>: Uses GitHub REST API to upload info.txt and poll command.txt.”] class step11_c2 technique step12_exfil[“<b>Technique</b> – T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository<br/><b>Description</b>: Exfiltrates data by uploading it to a code‑hosting repository.<br/><b>Detail</b>: Collected info.txt is uploaded to attacker‑controlled GitHub repository.”] class step12_exfil technique %% Connections – Attack Flow step1_initial_access –>|leads_to| step2_recon step2_recon –>|leads_to| step3_exec_vbscript step3_exec_vbscript –>|leads_to| step4_exec_cmd step4_exec_cmd –>|leads_to| step5_persistence step5_persistence –>|leads_to| step6_masquerade step6_masquerade –>|leads_to| step7_obfuscation step7_obfuscation –>|leads_to| step8_account_disc step8_account_disc –>|leads_to| step9_network_disc step9_network_disc –>|leads_to| step10_collection step10_collection –>|leads_to| step11_c2 step11_c2 –>|leads_to| step12_exfil
Attack Flow
Detections
Possible IP Lookup Domain Communications Attempted (via dns)
View
Suspicious Process Utilizes a URL in the Command Line (via cmdline)
View
Suspicious CURL Usage (via cmdline)
View
Possible System Enumeration (via cmdline)
View
Possible Account or Group Enumeration (via cmdline)
View
Suspicious Extracted Files from an Archive (via file_event)
View
Possible System Network Configuration Discovery (via cmdline)
View
IOCs (HashSha1) to detect: APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
View
IOCs (HashMd5) to detect: APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
View
IOCs (HashSha256) to detect: APT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1
View
Detection of GITSHELLPAD Backdoor and Cleanup Commands [Windows Process Creation]
View
Detection of GOGITTER Downloader and C2 Communication [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An APT group deploys the GITSHELLPAD backdoor (edgehost.exe) onto a compromised Windows host. To blend with expected system behavior, the attacker launches the backdoor via the Windows command shell (cmd /c). After completing its payload (e.g., downloading additional modules), the backdoor performs a “cleanup” by terminating its own process usingtaskkill /F /PID <PID>. Both actions generate process‑creation events that contain the binary name and the required command‑line substrings, satisfying the Sigma rule. -
Regression Test Script:
# ------------------------------------------------- # Simulate GITSHELLPAD backdoor execution & cleanup # ------------------------------------------------- # 1. Drop a placeholder edgehost.exe (any benign executable) $src = "$env:SystemRootSystem32notepad.exe" $dst = "$env:TEMPedgehost.exe" Copy-Item -Path $src -Destination $dst -Force # 2. Launch edgehost.exe via cmd /c (matches cmd_cmd pattern) $proc = Start-Process -FilePath "cmd.exe" -ArgumentList "/c `"$dst`"" -PassThru # 3. Wait a few seconds to ensure the process is alive Start-Sleep -Seconds 5 # 4. Cleanup: kill the edgehost.exe process using taskkill (matches taskkill_cmd pattern) $pid = $proc.Id cmd /c "taskkill /F /PID $pid" # 5. Remove the dropped file Remove-Item -Path $dst -Force -
Cleanup Commands:
# Ensure any stray edgehost.exe instances are terminated Get-Process -Name "edgehost" -ErrorAction SilentlyContinue | Stop-Process -Force # Delete the temporary binary if still present $tempPath = "$env:TEMPedgehost.exe" if (Test-Path $tempPath) { Remove-Item $tempPath -Force }