Elastic Security Labs has identified a new malware family, GOSAR, a Golang-based rewrite of the QUASAR backdoor, which is currently under development and targeting Chinese-speaking victims. The GOSAR backdoor is deployed through a custom loader named SADBRIDGE, leveraging advanced techniques such as DLL side-loading and process injection to evade detection. With multi-platform support and enhanced evasion mechanisms, GOSAR represents a significant cybersecurity threat.

Threat Implications

Elastic Security Labs warns that GOSAR’s seamless operational execution and ability to bypass advanced security systems pose significant risks. While the backdoor is still under development, its adaptability across multiple platforms signals a rising level of threat complexity. Organizations in Chinese-speaking regions are particularly at risk due to the malware’s targeted customizations.

Overview of GOSAR and SADBRIDGE

The GOSAR malware is distributed via a custom infection chain, prominently featuring the SADBRIDGE loader. This loader employs DLL side-loading, replacing legitimate DLLs with malicious ones, and process injection to infiltrate systems. The deployment chain begins with an MSI installer, designed to appear as legitimate software such as web browsers or messaging applications. This deceptive approach has enabled attackers to penetrate systems running Linux, Windows, and Android operating systems.

Elastic Security Labs has associated this malware with an ongoing cyber campaign, tracked as REF3864, wherein adversaries masquerade as legitimate vendors to distribute trojanized applications. For instance, samples extracted from VirusTotal showed malware disguised under trusted brands such as Telegram and Opera GX. These samples exhibited low detection rates and leveraged the SADBRIDGE loader to deploy the GOSAR payload.

Detection and Mitigation

To counter the threat posed by GOSAR and SADBRIDGE, Elastic Security Labs has released YARA rules to help organizations detect and mitigate potential infections. These rules are designed to identify anomalous activities and suspicious behaviors associated with GOSAR’s deployment chain.

Organizations are advised to implement the following measures:

1. Regular Updates: Ensure that all systems and applications are up-to-date with the latest security patches.
2. Endpoint Protection: Deploy robust endpoint detection and response (EDR) solutions to monitor suspicious activities.
3. Network Monitoring: Use network monitoring tools to identify unusual traffic patterns, especially encrypted communications with unknown origins.
4. Employee Awareness: Train employees to recognize phishing attempts and avoid downloading software from unverified sources.

Technical Details and Infection Process

The infection process begins with the placement of malicious files on targeted systems. These files are designed to appear legitimate and employ tactics such as system service tasks to establish persistence. Key infection methods include:

1. DLL Side-Loading: SADBRIDGE manipulates legitimate applications, such as x64dbg.exe, to load malicious DLLs, allowing the malware to execute its payload stealthily.
2. Privilege Escalation: Using COM interface loopholes and task scheduling exploits, the malware gains administrator and SYSTEM-level privileges.
3. Evasion Techniques: The malware disables Windows Defender and other security mechanisms through API patching, employs encryption and decryption techniques to obscure its activity, and manipulates the Process Environment Block (PEB) to disguise its origins.

Additionally, SADBRIDGE demonstrates a high degree of customization, targeting Chinese antivirus tools and tailoring firewall rules with Chinese-specific descriptors to maximize its effectiveness.

Advanced Capabilities of GOSAR

The GOSAR backdoor extends the functionality of its predecessor, QUASAR, by incorporating advanced features such as:

• Information Gathering: Enhanced capabilities for keylogging, clipboard monitoring, and system reconnaissance.
• Remote Operations: Execution of commands, file transfers, and plugin support for extended functionality.
• Network Communication: Secure communication through TCP TLS, ensuring encrypted data transmission.

The malware also employs asynchronous procedural calls targeting processes like svchost.exe and dllhost.exe, enabling it to execute payloads discreetly. Misinformation techniques, including DNS manipulation and firewall rule adjustments, further exemplify its sophisticated approach.

Conclusion

The discovery of GOSAR and its deployment mechanism, SADBRIDGE, highlights the evolving nature of cyber threats and the increasing sophistication of malware targeting specific regions and industries. Elastic Security Labs continues to monitor this campaign and urges organizations to strengthen their cybersecurity posture to mitigate the risks posed by this emerging threat. With its multi-platform adaptability and advanced evasion tactics, GOSAR underscores the need for proactive and comprehensive security measures to safeguard against such threats.