Gon Malware

Samples of the Gon Malware were first discovered in May 2019 when the implant was identified on Kuwait-based companies and businesses' networks. The threat is believed to be used in combination with other prominent malware families targeting the region – xHunt and Hisoka. Cybersecurity researchers believe that the same group of criminals is responsible for the development of the Gon Malware and the Hisoka Malware due to massive overlaps in their source code and functions.

The Gon Malware, however, is not identical to the Hisoka Malware in terms of functionality. When it is deployed on a compromised machine, it provides the attacker with the ability to choose between two control options – command line parameters or a graphical user interface (GU. To access the GUI version of the Gon Malware, the attacker needs to enter '92' in the implant's command-line interface.

The Gon Malware can be Controlled via a Command-Line or Graphical Interface

Regardless of the command-line or GUI used, the Gon Malware has the same capabilities. It allows the attacker to grab screenshots, discover other machines working in the same network, and use the WMI or PSEXEC services to run remote commands. In addition to all this, the Gon Malware can be used to upload/download files, as well as initialize a Remote Desktop Protocol (RDP) connection between the attacker and the infected system.

One of the basic but non-typical features of the Gon Malware is that its command-line interface supports the '-help' command. When the operator triggers it, they see a full list of commands and parameters that the Gon Malware supports, as well as for instructions on how to use them.

The Gon Malware is likely to be used as a second-stage implant, which allows attackers to gain a foothold over the previously compromised host and pave the way for additional malware.