Malware

New Go-written GobRAT RAT targets Linux Routers in Japan

A new Golang remote access trojan (RAT), tracked as GobRAT, is targeting Linux routers in Japan, the JPCERT Coordination Center warns.

JPCERT/CC is warning of cyberattacks against Linux routers in Japan that have been infected with a new Golang remote access trojan (RAT) called GobRAT.

Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware.

“Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT.” reads the alert published by the JPCERT Coordination Center (JPCERT/CC).

Loader Script acts as a loader, it supports multiple functions for downloading and deploying the GobRAT. The experts noticed an SSH public key, likely used as a backdoor, which is hard-coded in the script. The Loader Script maintains persistence via crontab because GobRAT does not support such a function.

The Loader Script includes multiple functions, such as disabling Firewall, downloading GobRAT for the target machine’s architecture, creating Start Script and making it persistent, creating and running the Daemon Script, and registering a SSH public key in /root/.ssh/authorized_keys.

The RAT communicates with C2 server via TLS and can execute various commands. The Japan CERT reported that the RAT is packed with UPX version 4 series. The researchers observed samples for multiple architectures, including ARM, MIPS, x86, and x86-64.

Upon starting up, the GobRAT checks IP address and MAC address of itself, uptime by uptime command, network communication status by /proc/net/dev.

The malware supports 22 commands, the researchers have identified the following commands:

  • Obtain machine Information
  • Execute reverse shell
  • Read/write files
  • Configure new C2 and protocol
  • Start socks5
  • Execute file in /zone/frpc
  • Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine

“In recent years, different types of malware using Go language have been confirmed, and the GobRAT malware confirmed this time uses gob, which can only be handled by Go language, for communication.” concludes the alert that also provides indicators of compromise. “Please continuously beware of malware that infects routers, not limited to GobRAT, since they are difficult to detect.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Ivanti warns of a new actively exploited Cloud Services Appliance (CSA) flaw

Ivanti warned of a new Cloud Services Appliance (CSA) vulnerability that is being exploited in…

10 hours ago

International law enforcement operation dismantled criminal communication platform Ghost

An international law enforcement operation infiltrated the encrypted messaging app Ghost, which was widely used…

12 hours ago

U.S. CISA adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle WebLogic Server, and Microsoft SQL Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle…

15 hours ago

SIEM for Small and Medium-Sized Enterprises: What you need to know

Small and medium-sized enterprises (SMEs) are a frequent target for cybercriminals. How can SIEM help…

22 hours ago

Antivirus firm Dr.Web disconnected all servers following a cyberattack

Russian anti-virus firm Doctor Web (Dr.Web) disconnected all servers following a cyberattack over the weekend.…

23 hours ago

Experts warn of China-linked APT’s Raptor Train IoT Botnet

Researchers warn of a new IoT botnet called Raptor Train that already compromised over 200,000…

1 day ago

This website uses cookies.