31 May 2023

New Go-based GobRAT malware targets Linux routers


New Go-based GobRAT malware targets Linux routers

Japan’s Computer Security Incident Response Team (JPCERT/CC) has published a technical analysis of a new Golang-based remote access trojan called ‘GobRAT’ observed in a series of attacks against Linux routers in Japan in February 2023.

Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware. Upon gaining initial access to the target router, the attacker downloaded a loader called ‘Loader Script,’ which supports multiple functions, including the ability to disable the device’s firewall, download GobRAT for the target machine's architecture, create Start Script for persistence, and create and run Daemon Script. The script also contains a hard-coded SSH public key likely used as a backdoor.

The GobRAT malware communicates with command and control server via TLS and can execute various commands. The RAT is packed with UPX version 4 series and supports multiple architectures, including ARM, MIPS, x86, and x86-64.

According to JPCERT/CC, the malware can execute 22 commands, including:

  • Obtain machine Information

  • Execute reverse shell

  • Read/write files

  • Configure new C2 and protocol

  • Start socks5

  • Execute file in /zone/frpc

  • Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine.

Additional technical details on this RAT can be found here.


Back to the list

Latest Posts

Cyber Security Week in Review: July 19, 2024

Cyber Security Week in Review: July 19, 2024

In brief: Global IT outage hits multiple companies, Chinese APT41 continues hacking spree, two LockBit affiliates plead guilty, and more.
19 July 2024
WazirX crypto exchange confirms security breach following $230M theft

WazirX crypto exchange confirms security breach following $230M theft

The breach involved one of WazirX’s multisig wallets.
18 July 2024
Global crackdown on West African cybercrime leads to hundreds of arrests

Global crackdown on West African cybercrime leads to hundreds of arrests

The operation has resulted in the arrest of nearly 300 individuals and the identification of over 400 additional suspects.
18 July 2024