Japan’s Computer Security Incident Response Team (JPCERT/CC) has published a technical analysis of a new Golang-based remote access trojan called ‘GobRAT’ observed in a series of attacks against Linux routers in Japan in February 2023.

Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware. Upon gaining initial access to the target router, the attacker downloaded a loader called ‘Loader Script,’ which supports multiple functions, including the ability to disable the device’s firewall, download GobRAT for the target machine's architecture, create Start Script for persistence, and create and run Daemon Script. The script also contains a hard-coded SSH public key likely used as a backdoor.

The GobRAT malware communicates with command and control server via TLS and can execute various commands. The RAT is packed with UPX version 4 series and supports multiple architectures, including ARM, MIPS, x86, and x86-64.

According to JPCERT/CC, the malware can execute 22 commands, including:

• Obtain machine Information

• Execute reverse shell

• Read/write files

• Configure new C2 and protocol

• Start socks5

• Execute file in /zone/frpc

• Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine.

Additional technical details on this RAT can be found here.