Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT.
“Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT,” the JPCERT Coordination Center (JPCERT/CC) said in a report published today.
The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection.
The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access.
GobRAT, for its part, communicates with a remote server via the Transport Layer Security (TLS) protocol to receive as many as 22 different encrypted commands for execution.
Some of the major commands are as follows –
- Obtain machine information
- Execute reverse shell
- Read/write files
- Configure new command-and-control (C2) and protocol
- Start SOCKS5 proxy
- Execute file in /zone/frpc, and
- Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine
The findings come nearly three months after Lumen Black Lotus Labs revealed that business-grade routers have been victimized to spy on victims in Latin America, Europe, and North America using a malware called HiatusRAT.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.