Arid Gopher - A New Golang Malware Spotted in the Town

First appearance

• The team came across Arid Gopher malware while investigating an executable file written in the Go programming language. 
• The identified file was initially submitted on VirusTotal on December 29, 2021, and was detected by only six security vendors.
• In addition to this, the researchers also discovered two additional similar files written in Go. 
• Upon analyzing, it was found that all the three files shared a common baseline, except for some unique codes.  

About Micropsia

• Discovered in 2017, Micropsia was initially designed to target Windows systems. 
• The malware was primarily used against several entities in the Middle East region, with most of the targets in Palestine.
• In April 2021, Facebook published a report about a new version of the malware targeting iOS devices.
• The report also highlighted how Arid Viper APT was constantly changing the programming language for developing the Micropsia malware. This included Pascal, Delphi, C++, and Python.

About Arid Gopher

• According to researchers, the newly found Arid Gopher is still under development.
• One of these variants is named Arid Gopher V1 and is written in Go 1.16.5gs. It contains public code from libraries found on GitHub and was uploaded to VirusTotal in August 2021 inside a RAR archive.
• It uses the domain grace-fraser[.]site as a C2 which is built on the Laravel framework which was used by Arid Viper in previous campaigns.
• Arid Gopher V1 is distributed via fake Word documents that pretend to contain investment-related information.
• In 2022, two new versions of the Arid Gopher V2 were discovered.
• The versions are written in Go 1.17.4 and include all libraries from V1 except for the ‘go-windows-shortcut’ library. The main difference between the two samples is the decoy content.
• They use the domain pam-beesly[.]site as a C2.

Key observation