HQ/EMEAFind out how we can help your business
The newly emerged Go language-based remote access trojan, GobRAT, targets Linux routers in Japan by exploiting known vulnerabilities. Based on reports, the RAT obtains various capabilities and targets multiple architectures, such as ARM, MIPS, x86, and x86-64.
A coordination centre that analysed the new entity has published a report and confirmed that GobRAT has been compromising Japanese routers since the start of the year. Based on the information, the attack starts with an open scan for the routers with a publicly exposed WEBUI.
Moreover, the RAT operators use GobRAT to try to infiltrate a target by leveraging known vulnerabilities and initiating an infection chain by running scripts.
The attack process starts with Loader Script that deactivates the firewall, downloads the GobRAT, and creates and executes additional scripts, including a Daemon Script and Start Script.
The Start Script will run GobRAT and masquerades it as an Apache daemon process. Next, the Daemon script will ensure that the Start Script will continue to operate by tending to its status every 20 seconds.
GobRAT could perform numerous commands from its communication server.
According to investigations, GobRAT obtains the UPX v4 series and utilises TLS to contact its server. Next, it reviews the infected device to acquire the IP or MAC address, total uptime, and status of the network comms after successful infection.
Subsequently, the source code encrypts the C2 string and the Linux commands. The RAT utilises AES128 CTR mode to decrypt the strings. In addition, it supports about 22 commands to run various prompts, such as acquiring device information, reading and writing files, starting the SOCKS5 socket, and running the reverse shell.
Lastly, the RAT could try to login to MySQL, SSHD, PostgreSQL, and Telnet services that run on other machines across the network.
GobRAT is another Go language-based malware that tries to abuse publicly exposed routers. Hence, organisational assets left unattended and exposed to the internet with no security checks could be susceptible to GobRAT attacks.
Organisations should implement layered defence mechanisms and regularly audit their online infrastructure to stay secure.
