EchoGather

EchoGather is a remote access trojan/backdoor associated with the Paper Werewolf (also known as GOFFEE/Goffee) cluster and used in espionage campaigns targeting Russian organizations, including military, defense-industry, and related entities. It has been distributed through multiple delivery chains, including C# droppers masquerading as Starlink restriction-bypass or registration tools and BattleFlight UAV/drone training simulator installers, as well as a malicious Excel XLL add-in campaign. In the Starlink-themed campaign, the payload was Base64-encoded and XOR-encrypted, saved as %APPDATA%\Microsoft\Windows\mssw.exe, and executed by the dropper; in the BattleFlight campaign it was saved as %APPDATA%\Microsoft\Windows\msms.exe; in the XLL campaign, the loader dropped mswp.exe into %APPDATA%\Microsoft\Windows and launched it hidden. The XLL loader triggered malicious execution from DllMain on DLL_THREAD_DETACH rather than standard XLL exports.

EchoGather performs host reconnaissance and anti-analysis checks. Reported anti-VM/anti-sandbox behavior includes hostname comparison, timing checks using QueryPerformanceFrequency and QueryPerformanceCounter, sleep validation with GetTickCount64 and NtDelayExecution, disk-size checks, and executable-name-length checks. It collects system information including local/private IPv4 addresses, OS type, architecture, computer or NetBIOS name, username, workstation/domain configuration, current process ID, executable path, and in one sample a static version string of 1.1.1.1.

The malware communicates with hardcoded command-and-control infrastructure over HTTP(S), using POST requests and Base64-encoded data. Reported C2s include syncheaven[.]online with path sync/now/ru/moscow/fetch, certcheck[.]online with a certificate-themed API path, and fast-eda[.]my:443 with a long food-delivery-themed path. It uses WinHTTP, supports proxy configuration, and in the XLL-reported sample ignores SSL/TLS certificate validation errors. Beaconing has been described as an infinite loop with randomized sleep intervals of 300-360 seconds.

EchoGather supports remote command execution and file transfer. Documented command functionality includes updating sleep/beacon delay, executing commands via cmd.exe, uploading files/exfiltration, and downloading or remotely writing files. One BattleFlight-linked variant reportedly lacked command 0x57 for downloading files from C2 to the host.

Known indicators directly mentioned in the content include dropped filenames mssw.exe, msms.exe, and mswp.exe under %APPDATA%\Microsoft\Windows; C2 domains syncheaven[.]online, certcheck[.]online, and fast-eda[.]my; and sample SHA-256 hashes 74fab6adc77307ef9767e710d97c885352763e68518b2109d860bb45e9d0a8eb for an EchoGather payload and 0506a6fcee0d4bf731f1825484582180978995a8f9b84fc59b6e631f720915da for an XLL loader carrying EchoGather.