ExCobalt’s GoRed GoBackdoor is a Go-based backdoor used for cyberespionage, featuring multiple C2 channels (DNS, ICMP, WSS, QUIC) and a beaconing mechanism with RPC. The article traces GoRed’s evolution, its data collection and exfiltration methods, persistence techniques, and the way ExCobaltoperatives have expanded and disguised their toolkit, including modified Linux utilities to evade defenses. #ExCobalt #GoRed #CobInt #SneakingLeprechaun
Keypoints
- ExCobalt is a cyberespionage group linked to the earlier Cobalt gang and has adopted a Go-based backdoor called GoRed.
- GoRed communicates with its C2 using RPC and supports DNS, ICMP, WebSocket (WSS), and QUIC tunneling for beaconing.
- The backdoor can obtain credentials, enumerate host information and processes, and collect a range of system data for exfiltration.
- GoRed’s data is serialized (CBOR), encrypted (AES-256-GCM), and sent to a dedicated exfiltration server via RPC.
- Modified Linux utilities (ps, ss, netstat) hide malicious activity by filtering output for known malicious processes and connections.
- ExCobalt has reused and evolved tools across incidents (e.g., GoRed’s early versions) and linked public tool directories to its operations, with connections to domains like lib.rpm-bin.link and leo.rpm-bin.link.
MITRE Techniques
- [T1082] System Information Discovery – GoRed collects information such as active processes, hostnames, network interfaces, and filesystem structures. Quote: “collects various types of information from compromised systems: details of active processes, host names, lists of network interfaces, file system structures, and so on.”
- [T1057] Process Discovery – The backdoor gathers details of active processes. Quote: “details of active processes…”
- [T1016] System Network Configuration Discovery – GoRed enumerates network interfaces. Quote: “lists of network interfaces…”
- [T1003] Credential Dumping – GoRed can obtain credentials from compromised systems. Quote: “GoRed can obtain credentials from compromised systems.”
- [T1041] Exfiltration Over C2 Channel – Data is serialized, encrypted, archived, and sent to a dedicated server. Quote: “serializes, encrypts, archives, and sends data it collects to a special server dedicated to storing compromised data.”
- [T1027] Obfuscated/Compressed Files and Information – The initial GoRed sample is compressed with UPX and the source is obfuscated with garble. Quote: “scrond, compressed with UPX (Ultimate Packer for eXecutables).” and “The data in an unpacked sample, written in Go, included… the substring ‘red.team/go-red/’.”
- [T1071.001] Web Protocols – GoRed uses RPC to communicate with its C2 in beacon mode (Web-related protocols are employed like WSS). Quote: “GoRed… communicate with its C2 in beacon mode.”
- [T1071.004] Application Layer Protocol: DNS – DNS tunneling is implemented as one of the communication methods. Quote: “DNS tunneling implementation” and “DNS/ICMP tunneling, WSS, and QUIC to communicate with GoRed.”
- [T1569.002] Create or Modify System Process – GoRed establishes persistence via a service and a CLI-based control flow. Quote: “The first command to be executed is ‘service’… It achieves persistence in the system.”
Indicators of Compromise
- [Domain] – GoRed infrastructure domains used for C2 and exfiltration: lib.rpm-bin.link, leo.rpm-bin.link, get.rpm-bin.link, sula.rpm-bin.link, lib.rest, rosm.pro, pkg.collect.net.in, and other related domains.
- [File] – GoRed payloads and samples found on Linux hosts: scrond (UPX-packed backdoor sample).