Tag Archives: malware

Breaking News, Cyber Crime, Malware

New Linux Ransomware BlackSuit is similar to Royal ransomware

Experts noticed that the new Linux ransomware BlackSuit has significant similarities with the Royal ransomware family.

Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack against the IT systems in Dallas, Texas.

The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

The Royal ransomware is written in C++, it infected Windows systems and deletes all Volume Shadow Copies to prevent data recovery. The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm

In early May, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.

According to government experts, the Royal ransomware attacks targeted numerous critical infrastructure sectors including, manufacturing, communications, healthcare and public healthcare (HPH), and education.

In May, multiple cybersecurity experts spotted a new ransomware family called BlackSuit, including Palo Alto Unit42 experts.

In the same period, some researchers linked the new ransomware to the Royal ransomware.

Then Trend Micro researchers initially analyzed a Windows 32-bit sample of the ransomware from Twitter.

BlackSuit appends the .blacksuit extension to the name of the encrypted files, drops a ransom note into each directory containing the encrypted files, and adds the reference to its TOR chat site in the ransom note along with a unique ID for each of its victims.

BlackSuit ransomware operators also set up a data leak site.

Trend Micro researchers compared an x64 VMware ESXi version of Blacksuit targeting Linux machines with the Royal ransomware and discovered an extremely high degree of similarity between the two families.

“After comparing both samples of the Royal and BlackSuit ransomware, it became apparent to us that they have an extremely high degree of similarity to each other.” reads the analysis published by TrendMicro. “In fact, they’re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files.”

The comparison revealed 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff.

The researchers mapped the command-line arguments accepted by BlackSuit, and noticed that it introduces different argument strings compared to Royal ransomware.

“The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.” concludes the report.

“One possibility for BlackSuit’s creation is that, since the threat actors behind Royal (and Conti before it) are one of the most active ransomware groups in operation today, this may have led to increased attention from other cybercriminals, who were then inspired to develop a similar ransomware in BlackSuit. Another option is that BlackSuit emerged from a splinter group within the original Royal ransomware gang.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

Breaking News, Hacking, Malware, Security

New botnet Horabot targets Latin America

A new botnet malware dubbed Horabot is targeting Spanish-speaking users in Latin America since at least November 2020.

Cisco Talos researchers were observed deploying a previously unidentified botnet, dubbed Horabot, that is targeting Spanish-speaking users in the Americas. The botnet is used to deliver a banking trojan and spam tool to the infected systems, Horabot has been active since at least November 2020.

The bot allows operators to control the victim’s Outlook mailbox, steal contacts’ email addresses, and send phishing emails with malicious HTML attachments. The banking trojan deployed as part of the campaign can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. The malware also allows bypassing 2FA by stealing one-time security codes and can steal soft tokens from the victim’s online banking applications.

The spam tool allows to compromise Gmail, Outlook, and Yahoo! webmail accounts to send out spam emails.

Most of the victims are in Mexico, limited infections were reported in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. Based on Talos analysis, the threat actors behind the campaign may be located in Brazil.

The attack chain commences with a tax-themed phishing email written in Spanish, posing as a tax receipt notification. The message is written to trick users into opening the attached malicious HTML file.

“When a victim opens the HTML file attachment, an embedded URL is launched in the victim’s browser, redirecting to another malicious HTML file from an attacker-controlled AWS EC2 instance.” reads the analysis published by Talos. “The content displayed on the victim’s browser lures them to click an embedded malicious hyperlink which downloads a RAR file.”

Upon opening the contents of the file, a PowerShell downloader script is executed. The script retrieves a ZIP file containing the main payloads from a remote server, then reboots the victim’s machine.

The banking Trojan and the spam tool are executed after restarting the system.

The banking trojan employed in this campaign is a 32-bit Windows DLL written in the Delphi programming language, the researchers noticed overlaps with other Brazilian Trojans like Mekotio and Casbaneiro.

“In analyzing the phishing emails used in the campaign, Talos identified that users in organizations across several business verticals — including accounting, construction and engineering, wholesale distributing and investment firms — have been affected. However, the attacker uses Horabot and the spam tool in this campaign to further propagate the attack by sending additional phishing emails to the victim’s contacts, meaning Spanish-speaking users from organizations in additional verticals are likely also affected.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

Breaking News, Cyber Crime, Data Breach, Malware

Point32Health ransomware attack exposed info of 2.5M people

After the recent ransomware attack, Point32Health disclosed a data breach that impacted 2.5 million Harvard Pilgrim Health Care subscribers.

In April, the non-profit health insurer Point32Health took systems offline in response to a ransomware attack that took place on April 17. The insurer immediately launched an investigation into the incident with the help of third-party cybersecurity experts to determine the extent of the incident.

The organization notified law enforcement and regulators.

Most impacted systems are related to Harvard Pilgrim Health Care, which in mid-April announced on Facebook that it was experiencing technical issues with its website and phone lines.

At the time of the attack, the company did not provide details about the attack, such as the family of ransomware that compromised its systems and the number of impacted individuals.

Now Point32Health revealed threat actors have exfiltrated data from the Harvard Pilgrim systems between March 28, 2023 and April 17, 2023. The company has notified the US Department of Health and Human Services that over 2.55 million individuals’ information was compromised in the ransomware attack, reported SecurityWeek.

“Harvard Pilgrim Health Care (“Harvard Pilgrim”) is providing notice of a data security incident that may affect the privacy of certain individuals’ protected health information and/or personal information.” reads a notice published by the company. “On April 17, 2023, Harvard Pilgrim discovered a cybersecurity ransomware incident that impacted systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). We are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.”

As of the time of writing, no ransomware group has taken responsibility for the attack.

Stolen data include names, addresses, phone numbers, birth dates, Social Security numbers, health insurance account information, taxpayer identification numbers, and clinical information, including medical history, diagnoses, and treatment details.

The security breach impacted former and current customers, as well as current and former members of Health Plans Inc. between June 2020 and present.

Harvard Pilgrim pointed out that it is not aware of any fraudulent use of stolen information.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Point32Health )

Breaking News, Hacking, Security

MOVEit Transfer software zero-day actively exploited in the wild

Threat actors are exploiting a zero-day flaw in Progress Software’s MOVEit Transfer product to steal data from organizations.

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product to steal data from organizations.

MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.

The vulnerability is a SQL injection vulnerability, it an be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” reads the advisory published by the company. “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.”

The vulnerability affects all MOVEit Transfer versions, it doesn’t affect the cloud version of the product. The company also shared Indicators of Compromise (IoCs) for this attack and urges customers that notice any of the indicators to immediately contact its security and IT teams.

Multiple security firms are warning that the vulnerability has been actively exploited in the wild.

GreyNoise researchers have observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023, for this reason, the experts recommend Progress customers to review potentially malicious activity that was recorded in the last 90 days.

“While we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as “Malicious” by GreyNoise for prior activities.” reads the alert published by GreyNoise. “The primary artifact, observed through publicly available information, is the presence of a webshell named human2.aspx. This is a post-exploitation file artifact that is written to the filesystem by a malicious actor allowing them to execute arbitrary commands. GreyNoise is observing scanning activity looking to identify the presence of the human2.aspx webshell dropped as part of the post-exploitation activity.”

By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.

“Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation.” reported Rapid7.

Threat actors exploit the vulnerability to establish a webshell (‘human2.aspx’) in the ‘wwwroot’ folder of the MOVEit software.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MOVEit Transfer)

APT, Breaking News, Malware, Mobile

Operation Triangulation: previously undetected malware targets iOS devices

A previously undocumented APT group targets iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

Researchers from the Russian firm Kaspersky have uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.

The experts uncovered the attack while monitoring the network traffic of its own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).

According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.

“The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data” reads the analysis published by Kaspersky.

Due to the difficulty of inspecting modern iOS devices internally, the researchers created offline backups of the devices to analyze. Then they used the Mobile Verification Toolkit’s mvt-ios to scrutinize the backups and ultimately collected evidence indicating traces of compromise.

The backups contain a partial copy of the filesystem, including part of the user data and service databases. By analyzing the timestamps of files, folders, and database records, the researchers were able to reconstruct a timeline of the events that occurred on the device. The researchers used the mvt-ios utility to generate a sorted timeline of the events, which is stored in a file named ‘timeline.csv.’

The analysis of the timeline revealed that the attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).

The exploit used in the attack downloads multiple subsequent stages from the C2 server, including additional exploits for privilege escalation. The final payload is downloaded from the same C2 and is described by Kaspersky as a fully-featured APT platform.

Then the initial message and the exploit in the attachment are deleted.

The researchers noticed that the malicious toolset does not support persistence, likely due to the limitations of the OS. The devices may have been reinfected after rebooting. 

The attack successfully targeted iOS 15.7, the analysis of the final payload has yet to be finished. The malicious code runs with root privileges, it supports a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C2 server.

“The single most reliable indicator that we discovered is the presence of data usage lines mentioning the process named “BackupAgent”. This is a deprecated binary that should not appear in the timeline during regular usage of the device.” concludes Kaspersky. “An even less implicit indicator of compromise is inability to install iOS updates. We discovered malicious code that modifies one of the system settings file named com.apple.softwareupdateservicesd.plist. We observed update attempts to end with an error message “Software Update Failed. An error ocurred downloading iOS”.”

Kaspersky provided the list of C2 domains involved in the attack, at least two of them currently show the following banner:

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Triangulation)

Breaking News, Cyber Crime, Hacking, Malware, Mobile, Security

Apps with over 420 Million downloads from Google Play unveil the discovery of SpinOk spyware

Researchers discovered spyware, dubbed SpinOk, hidden in 101 Android apps with over 400 million downloads in Google Play.

The malicious module is distributed as a marketing SDK that developers behind the apps embedded in their applications and games, including those available on Google Play.

Upon executing the module, the malware-laced SDK connects to the C2 sending back a large amount of system information about the infected device. Info sent to the C2 includes data from sensors (e.g. gyroscope, magnetometer, etc.) that allows operators to determine if the malware is running on a real device or an emulator environment. The C2 in turn sends a list of URLs to the module, which opens them in the WebView to display advertising banners.

The malicious SDK also expands the capabilities of JavaScript code executed on webpages containing ads. The researchers observed that the module adds many features to the code, including the ability to:

  • obtain the list of files in specified directories,
  • verify the presence of a specified file or a directory on the device,
  • obtain a file from the device, and
  • copy or substitute the clipboard contents.

The operators of the trojan module can use these capabilities to gather sensitive information and files from a victim’s device. An instance of this would be accessing files that are accessible to apps containing Android.Spy.SpinOk. To steal the files, threat actors only have to inject the corresponding code into the HTML page of the advertisement banner.

Doctor Web specialists found this trojan module and several modifications of it in a number of apps distributed via Google Play. Some of them contain malicious SDK to this date; others had it only in particular versions or were removed from the catalog entirely. Our malware analysts discovered it in 101 apps with at least 421,290,300 cumulative downloads.”

Doctor Web estimated that millions of Android device owners are at risk of becoming victims of cyber espionage, and the security firm immediately shared its findings with Google.

Below is the list of the 10 most popular apps using the Android.Spy.SpinOk trojan SDK:

  • Noizz: video editor with music (at least 100,000,000 installations),
  • Zapya – File Transfer, Share (at least 100,000,000 installations; the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1),
  • VFly: video editor&video maker (at least 50,000,000 installations),
  • MVBit – MV video status maker (at least 50,000,000 installations),
  • Biugo – video maker&video editor (at least 50,000,000 installations),
  • Crazy Drop (at least 10,000,000 installations),
  • Cashzine – Earn money reward (at least 10,000,000 installations),
  • Fizzo Novel – Reading Offline (at least 10,000,000 installations),
  • CashEM: Get Rewards (at least 5,000,000 installations),
  • Tick: watch to earn (at least 5,000,000 installations).

The full list of apps is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpinOk)

Breaking News, Cyber Crime, Hacking, Malware

BlackCat claims the hack of the Casepoint legal technology platform used by US agencies

The BlackCat ransomware gang claims to have hacked the Casepoint legal technology platform used US agencies, including SEC and FBI.

The cybersecurity researcher Dominic Alvieri first noticed that the BlackCat ransomware gang added the company Casepoint to the list of victims on its Tor Dark Web site.

Casepoint provides a leading legal discovery platform used by several US agencies, including the SEC, FBI, and US Courts.

The gang claims to have stolen 2TB of sensitive data, belonging to lawyers, SEC, DoD, FBI, Police and more.

“We have over 2TB of very sensitive data, lawyers, SEC, DoD, FBI, Police and more. We encourage you to get in touch or we’ll start posting your data on our blog soon. We mailed you the login link.” reads the nessage published on the leak site. “We encourage you to get in touch or we’ll start posting your data on our blog soon. We mailed you the login link.”

In the event that the security breach is verified, it is reasonable to speculate that the ransomware group might have compromised sensitive and possibly classified information. The potential leakage of such data could result in significant consequences for the company’s customers.

The ransomware group shared credentials for some resources of the breached infrastructure and some images of the alleged stolen documents. The gang urges the company to start negotiating.

“We advise you to hurry up and start negotiating with us, otherwise it will be very bad for your company.” concludes the message. “We attach a new file, it’s from the FBI, just for internal forwarding.”

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victim is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, and the Swissport.

The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

Trend Micro researchers recently shared details about an ALPHV/BlackCat ransomware incident that took place on February 2023. A BlackCat affiliate employed signed malicious Windows kernel drivers to evade detection.

The use of a Windows kernel driver, which runs with the highest privileges in the OS, allows attackers to kill any process associated with defense products.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BlackCat)

Breaking News, Hacking

Threat actors are exploiting Barracuda Email Security Gateway bug since October 2022

Recently disclosed zero-day flaw in Barracusa Email Security Gateway (ESG) appliances had been actively exploited by attackers since October 2022.

The network security solutions provider Barracuda recently warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.

The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.

“Barracuda identified a vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023.” reads the advisory published by the security solutions provider. “The vulnerability existed in a module which initially screens the attachments of incoming emails.”

The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.

The vulnerability doesn’t impact other Barracuda products, the company states that its SaaS email security services is not affected by this issue.

The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.

On May 30, 2023, the vendor provided a Preliminary Summary of Key Findings related to its investigation that includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers.

As per the vendor’s statement, the flaw has been exploited in real-world scenarios, with incidents dating back to October 2022 at the very least.

“Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” reads the update provided by the company.

Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.

The families of malware employed in the attacks are:

  • SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
  • SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
  • SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.

Below are the recommendations for the impacted customers:

  1. Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support (support@barracuda.com) to validate if the appliance is up to date.
  2. Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.
  3. Rotate any applicable credentials connected to the ESG appliance:
    o  Any connected LDAP/AD
    o  Barracuda Cloud Control
    o  FTP Server
    o  SMB
    o  Any private TLS certificates
  4. Review your network logs for any of the IOCs listed below and any unknown IPs. Contact compliance@barracuda.com if any are identified.

US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Barracuda)

Breaking News, Cyber Crime, Data Breach, Malware

Lockbit ransomware attack on MCNA Dental impacts 8.9M individuals

Managed Care of North America (MCNA) Dental disclosed a data breach that impacted more than 8.9 million individuals.

Managed Care of North America (MCNA) Dental suffered a data breach that impacted 8,923,662 patients.

MCNA Dental is one of the largest US dental care and oral health insurance providers.

The security breach exposed the personal information of current or former provider of dental/orthodontic care to members of certain state Medicaid and Children’s Health Insurance Programs, for which MCNA provides dental benefits and services.

According to the notification filed with the Office of the Maine Attorney General, the company discovered unauthorized access to its computer systems on March 6th, 2023, and immediately launched an investigation into the incident.

“On March 6, 2023, MCNA became aware that an unauthorized party was able to access certain MCNA systems. Upon discovery the same day, MCNA took immediate steps to contain the threat and engaged a third-party forensic firm to investigate the incident and assist with remediation efforts. MCNA subsequently discovered that certain systems within the network may have been infected with malicious code. Through its investigation, MCNA determined that an unauthorized third party was able to access certain systems and remove copies of some personal information between February 26, 2023 and March 7, 2023.” reads the data breach notification. “MCNA undertook an extensive review to determine what data may have been impacted. As a result of this review, which was completed on May 3, 2023, it appears that your personal information may have been involved.”

Stole data includes demographic information to identify and contact patients, such as full name, date of birth, address, telephone and email; Social Security number; driver’s license number or government-issued identification number; health insurance information, such as name of plan/insurer/government payor, member/Medicaid/Medicare ID number, plan and/or group number; and information regarding dental/orthodontic care. The notice states that not all data elements were involved for all individuals.

The company announced that it has already taken steps to mitigate and prevent similar security breaches in the future.

The company is offering the impacted individuals 12 months of free identity theft protection and credit monitoring service through IDX.

“Although we are unaware of any actual or attempted misuse of provider information as a result of this incident, we encourage you to carefully review credit reports and statements sent from providers as well as your insurance company to ensure that all account activity is valid. Any questionable charges should be promptly reported to the company with which you maintain the account.”

The notice doesn’t provide details about the security breach, but the LockBit ransomware group claimed responsibility for the attack.

The ransomware group added the company to the list of victims on its Tor leak site and published a sample of the stolen data as proof of the data breach.

LockBit threatened to publish the stolen data if MCNA would have not paid a $10 million ransom.

On April 7th, 2023, LockBit released all stolen data on its leak site.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MCNA)

Breaking News, Cyber Crime, Hacking, Internet of Things, Malware

New Go-written GobRAT RAT targets Linux Routers in Japan

A new Golang remote access trojan (RAT), tracked as GobRAT, is targeting Linux routers in Japan, the JPCERT Coordination Center warns.

JPCERT/CC is warning of cyberattacks against Linux routers in Japan that have been infected with a new Golang remote access trojan (RAT) called GobRAT.

Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware.

“Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT.” reads the alert published by the JPCERT Coordination Center (JPCERT/CC).

Loader Script acts as a loader, it supports multiple functions for downloading and deploying the GobRAT. The experts noticed an SSH public key, likely used as a backdoor, which is hard-coded in the script. The Loader Script maintains persistence via crontab because GobRAT does not support such a function.

The Loader Script includes multiple functions, such as disabling Firewall, downloading GobRAT for the target machine’s architecture, creating Start Script and making it persistent, creating and running the Daemon Script, and registering a SSH public key in /root/.ssh/authorized_keys.

The RAT communicates with C2 server via TLS and can execute various commands. The Japan CERT reported that the RAT is packed with UPX version 4 series. The researchers observed samples for multiple architectures, including ARM, MIPS, x86, and x86-64.

Upon starting up, the GobRAT checks IP address and MAC address of itself, uptime by uptime command, network communication status by /proc/net/dev.

The malware supports 22 commands, the researchers have identified the following commands:

  • Obtain machine Information
  • Execute reverse shell
  • Read/write files
  • Configure new C2 and protocol
  • Start socks5
  • Execute file in /zone/frpc
  • Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine

“In recent years, different types of malware using Go language have been confirmed, and the GobRAT malware confirmed this time uses gob, which can only be handled by Go language, for communication.” concludes the alert that also provides indicators of compromise. “Please continuously beware of malware that infects routers, not limited to GobRAT, since they are difficult to detect.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)