Japanese Linux routers have been targeted by a new Golang Remote Access Trojan (RAT) dubbed ‘Golang’. Gobrat.
JPCERT Coordination Center (JPCERT/CC) “Attackers first target routers with exposed WEBUI, possibly exploiting vulnerabilities to execute scripts and eventually infect GobRAT.” Said In a report released today.
Once an Internet-facing router is compromised, a loader script is deployed that acts as a conduit for GobRAT delivery. This script evades detection by disguising itself as an Apache daemon process (apached) when launched.
The loader should disable the firewall, use a cron job scheduler to establish persistence, and use SSH public keys .ssh/authorized_keys file for remote access.
GobRAT is a transport layer security (TLS) protocol to receive and execute up to 22 different encrypted commands.
Some of the key commands are:
- Get machine information
- run reverse shell
- read/write file
- Configure new command and control (C2) and protocols
- Start SOCKS5 proxy
- Run files in /zone/FRPCand
- Try to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine.
The findings come nearly three months after Lumen Black Lotus Labs revealed business-grade routers were being spied on using malware called HiatusRAT in Latin America, Europe and North America. I was.
