Gon Malware Description
Judging by its functionality, the Gon Malware was determined to be a post-exploitation tool that gives the threat actors who deployed it substantial control over the already compromised system. The Gon Malware was observed as part of attacks against Kuwait organizations working in the shipping and transportation industries. The tool is part of a whole set of malware threats developed by this particular hacker group. Most custom-made malware was given names taken from characters from the popular manga and anime series 'Hunter x Hunter' such as Sakabota, Hisoka, Gon, Killua and Netero.
The Gon Malware is usually deployed after the targeted computer has already been infected with the Hisoka tool. Through the Gon Malware, the hackers can drop or upload files from the affected device, scan for open ports on remote systems, take arbitrary screenshots, discover other systems connected to the same network and execute commands through WMI or PSEXEC. They also can establish Remote Desktop Protocol (RDP) connections via the plink utility.
The Gon Malware can be controlled through either a command-line utility or a desktop application through a graphical user interface (GUI). By entering the '-help' command in the command-line utility, the hackers can list all of the threatening actions that can be performed by the Gon Malware, with one of them being 'self Distruct.' To GUI offers the same functionality, but to initiate it, a password must be provided. After entering the '92' for a password, a pop-up window is generated with an image of Gon and Killua from the 'Hunter x Hunter' anime as a background. One aspect that sets the GUI apart from the command-line is the inclusion of an option called 'Persona Use.' When enabled, this option disables a masking feature that hides the GUI if the user's cursor is placed outside of the malware's window for more than 80 seconds. The GUI also allows the hackers to scrape computer, group, and user names from active directories through the 'dsquery' tool.