Cisco Talos uncovered a GoMet backdoor campaign targeting a Ukrainian software development firm, with indicators pointing toward Russian state-sponsored actors or their interests. The GoMet variant is a modified open-source backdoor capable of cross-OS deployment, daisy-chaining, and persistent C2 communications, raising concern for potential supply-chain risk. #GoMet #RussianStateSponsoredActors
Keypoints
- The GoMet backdoor was observed in Ukraine targeting a large software development company whose products are used by Ukrainian state organizations, with attribution leaning toward Russian state-sponsored actors.
- GoMet is a Go-written backdoor capable of multi-OS deployment and includes features such as scheduling, single-command execution, file download/upload, and a shell.
- The malware demonstrates a daisy-chain capability, allowing attackers to move laterally from one compromised host to others.
- A modified cron-based persistence mechanism was used, with cron configured to run every two seconds in samples to maintain connectivity to the C2.
- Persistence/defense-evasion techniques include replacing existing autorun executables with the malware and using a fake Windows update to aid concealment.
- Two GoMet samples were identified (FctSec.exe and SQLocalM86.exe) with similar code but different configurations, and C2 communications use a hardcoded IP and HTTPS on the default port.
- Attribution is assessed with moderate to high confidence to Russian state-sponsored actors or those acting in their interests; the activity could enable deeper access or a supply-chain compromise.
MITRE Techniques
- [T1053.005] Cron – Cron-based persistence and keep-alive behavior; quote: “…cronjob is configured to run every two seconds…”
- [T1059] Command and Scripting Interpreter – Single command execution capability described by the GoMet backdoor; quote: “…single command execution…”
- [T1105] Ingress Tool Transfer – File download and upload support for remote operations; quote: “file download, file upload or opening a shell.”
- [T1021] Lateral Movement – Daisy-chain technique, using information from one host to access others across networks; quote: “daisy chain — whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers — connections from one implanted host to another.”
- [T1071.001] Web Protocols – C2 communications over HTTPS; quote: “Communication occurs via HTTPS on the default port.”
- [T1547.001] Boot or Logon Autostart Execution – Autorun modification to evade detection by replacing existing goodware autorun entries; quote: “replaced one of the existing goodware autorun executables with the malware.”
- [T1082] System Information Discovery – Discovery activity using system information commands (systeminfo) and scheduled task queries; quote: “systeminfo” (and related schtasks queries).”
- [T1036] Masquerading – Use of a fake Windows update to facilitate persistence and evasion; quote: “fake Windows update scheduled tasks created by the GoMet dropper.”
Indicators of Compromise
- [SHA-256 Hash] – f24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb, 950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88
- [IP] – 111.90.139.122
- [File Name] – FctSec.exe, SQLocalM86.exe
- [Certificate] – Self-signed certificate issued April 4, 2021 with SHA-1 fingerprint 9b5e112e683a3605c9481d8f565cfb3b7e2feab7
Read more: https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html