New Go-written GobRAT RAT targets Linux Routers in Japan

A new Golang remote access trojan (RAT), tracked as GobRAT, is targeting Linux routers in Japan, the JPCERT Coordination Center warns.

JPCERT/CC is warning of cyberattacks against Linux routers in Japan that have been infected with a new Golang remote access trojan (RAT) called GobRAT.

Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware.

“Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT.” reads the alert published by the JPCERT Coordination Center (JPCERT/CC).

Loader Script acts as a loader, it supports multiple functions for downloading and deploying the GobRAT. The experts noticed an SSH public key, likely used as a backdoor, which is hard-coded in the script. The Loader Script maintains persistence via crontab because GobRAT does not support such a function.

The Loader Script includes multiple functions, such as disabling Firewall, downloading GobRAT for the target machine’s architecture, creating Start Script and making it persistent, creating and running the Daemon Script, and registering a SSH public key in /root/.ssh/authorized_keys.

The RAT communicates with C2 server via TLS and can execute various commands. The Japan CERT reported that the RAT is packed with UPX version 4 series. The researchers observed samples for multiple architectures, including ARM, MIPS, x86, and x86-64.

Upon starting up, the GobRAT checks IP address and MAC address of itself, uptime by uptime command, network communication status by /proc/net/dev.

The malware supports 22 commands, the researchers have identified the following commands:

Obtain machine Information
Execute reverse shell
Read/write files
Configure new C2 and protocol
Start socks5
Execute file in /zone/frpc
Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine

“In recent years, different types of malware using Go language have been confirmed, and the GobRAT malware confirmed this time uses gob, which can only be handled by Go language, for communication.” concludes the alert that also provides indicators of compromise. “Please continuously beware of malware that infects routers, not limited to GobRAT, since they are difficult to detect.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.