JPCERT/CC reports router infections in Japan using GobRAT, a Go-based RAT that communicates with a TLS C2 server. The attack chain drops GobRAT via a Loader Script, establishes persistence with cron and startup scripts, and employs encryption to hide C2 traffic and commands. #GobRAT #JPCERTCC #GoLang #LinuxRouters #Japan
Keypoints
- Attack targeted routers with publicly accessible WEBUI in Japan around February 2023, leading to GobRAT infection.
- Loader Script disables firewall, downloads GobRAT for the target architecture, creates Start Script, and registers persistence via crontab, plus a Daemon Script and SSH key backdoor.
- Start Script writes a restart log and runs GobRAT under the name apached to appear legitimate.
- Daemon Script periodically checks the Start Script (every 20 seconds) and restarts it if needed to maintain persistence.
- GobRAT is a Go-based RAT packed with UPX, supports multiple architectures, and gathers host info (IP, MAC, uptime) at startup.
- GobRAT uses TLS for C2 communication with a gob data protocol and encrypts strings with AES-128-CTR; it also uses a distinctive folder structure (aaa.com/bbb/me~).
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT. ‘Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT.’
- [T1105] Ingress Tool Transfer – Download GobRAT for the target machine’s architecture. ‘Download GobRAT for the target machine’s architecture.’
- [T1053.005] Cron – Loader Script uses crontab to register the file path of Start Script for persistence. ‘Loader Script uses crontab to register the file path of Start Script for persistence.’
- [T1036] Masquerading – Start Script executes GobRAT under the file name apached to make it look like a legitimate process. ‘the startup script … executes GobRAT under the file name apached to make it look like a legitimate process.’
- [T1562.004] Impair Defenses – Disable Firewall function. ‘Disable Firewall function’
- [T1071.001] Web Protocols – GobRAT uses TLS to send and receive data with its C2 server. ‘GobRAT uses TLS to send and receive data with its C2 server.’
- [T1016.001] System Network Configuration Discovery – IP address and MAC address of itself. ‘IP address and MAC address of itself’
- [T1098] SSH Authorized Keys – Register a SSH public key in /root/.ssh/authorized_keys. ‘Register a SSH public key in /root/.ssh/authorized_keys’
- [T1021.001] SSH – Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine. ‘Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine’
- [T1027] Obfuscated/Compressed Data – Strings such as C2 and Linux commands are encrypted. ‘Strings such as C2 and Linux commands are encrypted and stored in the sample. AES128 CTR mode is used to decrypt strings.’
Indicators of Compromise
- [Domain] C2 domains – su.vealcat.com, ktlvz.dnsfailover.net, and 1 more item
- [File] Startup and persistence files – restart.log, apached, Loader Script, Start Script, Daemon Script (and 2 more files)
- [File] SSH backdoor key location – /root/.ssh/authorized_keys
- [Hash] Script hashes – 060acb2a5df6560acab9989d6f019fb311d88d5511f3eda0effcbd9fc6bd12bb, feaef47defd8b4988e09c8b11967e20211b54e16e6df488780e2490d7c7fa02a, and 2 more hashes
- [Hash] Malware hashes – a8b914df166fd0c94106f004e8ca0ca80a36c6f2623f87a4e9afe7d86b5b2e3a, aeed77896de38802b85a19bfcb8f2a1d567538ddc1b045bcdb29cb9e05919b60, and 14 more hashes
Read more: https://blogs.jpcert.or.jp/en/2023/05/gobrat.html