31 May 2023

New Go-based GobRAT malware targets Linux routers


New Go-based GobRAT malware targets Linux routers

Japan’s Computer Security Incident Response Team (JPCERT/CC) has published a technical analysis of a new Golang-based remote access trojan called ‘GobRAT’ observed in a series of attacks against Linux routers in Japan in February 2023.

Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware. Upon gaining initial access to the target router, the attacker downloaded a loader called ‘Loader Script,’ which supports multiple functions, including the ability to disable the device’s firewall, download GobRAT for the target machine's architecture, create Start Script for persistence, and create and run Daemon Script. The script also contains a hard-coded SSH public key likely used as a backdoor.

The GobRAT malware communicates with command and control server via TLS and can execute various commands. The RAT is packed with UPX version 4 series and supports multiple architectures, including ARM, MIPS, x86, and x86-64.

According to JPCERT/CC, the malware can execute 22 commands, including:

  • Obtain machine Information

  • Execute reverse shell

  • Read/write files

  • Configure new C2 and protocol

  • Start socks5

  • Execute file in /zone/frpc

  • Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine.

Additional technical details on this RAT can be found here.


Back to the list

Latest Posts

US authorities charge two Russians with 2011 Mt. Gox hack

US authorities charge two Russians with 2011 Mt. Gox hack

Bilyuchenko and Verner allegedly stole about 647,000 bitcoins from Mt. Gox between September 2011 through at least May 2014.
12 June 2023
Pro-Ukraine hackers take down Russian telco, disrupt banking operations

Pro-Ukraine hackers take down Russian telco, disrupt banking operations

The breach at Infotel is said to have impacted multiple major banks across Russia who were unable to make online payments for more than a day.
12 June 2023
Cyber security week in review: June 9, 2023

Cyber security week in review: June 9, 2023

The world in brief: Clop likely has been exploiting the MOVEit 0Day since 2021, over $35M in crypto stolen in the Atomic Wallet hack, and more.
9 June 2023