Godlike12

Godlike12 is a custom-built backdoor Trojan whose development and usage has been attributed to the Holy Water APT (Advanced Persistent Threat) actor. The group's activities were first analyzed and described in December 2019 when they launched a massive water hole attack that targeted minority ethnic groups in Asia. The Godlike12 payload was used in these attacks, and it was usually delivered via a fake Adobe Flash Player update package that victims were asked to download when they visited a compromised website.

The Simple Godlike12 Backdoor Relies on Google Drive to Receive Commands and Transfer Data

The threat was created with the use of the Go programming language – a rather unpopular programming solution among cybercriminals. Once Godlike12 is active, it will gather some basic information about the infected system – network configuration, MAC address, Windows version, hostname and the current time immediately. The misappropriated data is stored in a file titled '<VICTIM ID>-tk.txt' and then transferred to a Google Drive folder controlled by the perpetrators. The Google Drive folder also had two other files with similar names – '<VICTIM ID>-cs.txt' and '<VICTIM ID>-rf.txt' The former was found to contain commands that the Godlike12 will execute, while the latter contained the output of the executed commands. This is a very peculiar usage of the Google Drive service as a makeshift C2 (Command-and-Control) server.

The Godlike12 Backdoor has limited functionality when compared to the Stitch Backdoor that the Holy Water APT hackers also use. However, Godlike12 should not be underestimated definitely since its ability to execute remote commands is more than enough to cause a lot of trouble for the infected victim. Thankfully, the Godlike12 payload does not contain any anti-analysis or anti-debugging techniques, and modern anti-virus products are able to detect, report and remove its components easily.