I did some string searches in Hybrid-Analysis as well to look for more files. (Thanks Hybrid-Analysis for a researcher account!) I finally ended up with this yara rule (i'll learn to write better rules one day):

Searching that on Hybrid-Analysis results in the following hashes:

You can also run strings on the file and extract C2 information by doing egrep:
strings -f * | egrep '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):(\d{0,5})'

One more thing I noticed while researching this is mention of "geodezine" backdoor. Some of the samples connect to the same C2 server as the golang backdoor connects to. I haven't looked too much into it but here's a rule:

And here are the hashes that show up on Hybrid-Analysis:

Summary of where this Golang malware shows up and timeline:

December 2017

The Shadows of Ghosts Inside the response of a unique Carbanak intrusion

Filename: ctlmon.exe

Malware name: GOTROJ

C2: 107.181.246[.]146

Hashes:

450605b6761ff8dd025978f44724b11e0c5eadcc

08f527bef45cb001150ef12ad9ab91d1822bb9c7

7b27771de1a2540008758e9894bfe168f26bffa0

Attack involved exploitation of CVE-2017-5638

May 2021

Mercenary APT Groups Targeting the Financial Services Industry

Filename: winnta / main

Malware name: GOTROJ-related / gsh

C2: 45.76.236[.]136, 198.199.104[.]97

"cyber mercenary attack targeting a major US-based financial services organization"

August 2021

PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity

Filename: winnta

Malware name: GOTROJ

Hashes:

2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46

55320dcb7e9e96d2723176c22483a81d47887c4c6ddf063dbf72b3bea5b279e3

57150938be45c4d9c742ab24c693acc14cc071d23b088a1facc2a7512af89414

9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765

exploitation of CVE-2020-14882 and CVE-2020-14750

March 2022

Forged in Fire: A Survey of MobileIron Log4Shell Exploitation

Malware name: DARKDOOR

C2: 162.33.178[.]149, 195.149.87[.]87

Attributed to UNC961 and related to exploitation of Log4j in Horizon and MobileIron

April 2022

Ragnarlocker Ransomware IOCs

Filename: ctlmon.exe

Malware name: GOTROJ

C2: 45.63.89[.]250

Related to breach involving Ragnarlocker according to the post

September 2022

This is the sample that I started out my research with

Filename: winnta.exe

Hash: 020f6b3e045fa6b968226a8f2b2800dc55c65e842607d04d68b47ef4d18b0eee

C2: 195.149.87[.]87

I just found the sample. I'm not sure what campaign it's related to or any other details. The C2 matches the Mandiant report though.

You should be able to pivot from C2 to sample hash or sample hash to C2 using VirusTotal. Some vendors didn't supply C2s or hashes.

As far as I know, I have not seen any of these samples running and successfully connecting to C2 in any of the public sandboxes. I haven't seen results in Shodan or Censys that show the C2 port open even with historical search for the September 2022 sample.

There may be more samples on VirusTotal but I'm doing this independently and don't have access to VT.

I'm not a CTI person. To me this looks like a golang backdoor used by multiple actors. I just hope this post helps anyone Googling things because this sample has been called different things by different vendors and that's annoying.