New GobRAT Remote Access Trojan Targets Linux Routers in Japan
Linux routers in Japan are targets of a new remote access trojan (RAT) called Golang GobRAT.
“Initially, attackers targeted routers whose WEBUI was open to the public, executed scripts that might use the vulnerability, and eventually infected GobRAT,” the JPCERT Coordination Center (JPCERT/CC) said in a report published today.
The compromise of internet-exposed routers was followed by the deployment of a loader script that acted as a conduit for delivering GobRAT, which, when launched, masqueraded as an Apache daemon process (apached) to avoid detection.
The loader is also equipped to disable firewalls, set persistence using the cron job scheduler, and register SSH public keys in File .ssh/authorized_keys for remote access.
GobRAT, for its part, communicates with remote servers via Transport Layer Security (TLS) protocol to accept as many as 22 different encrypted commands to be executed.
Some of the main commands are as follows –
- Get machine information
- Run a reverse shell
- Read/write files
- Configure command-and-control (C2) and new protocols
- Start the SOCKS5 proxy
- Run file in /zone/frpcAnd
- Try logging into sshd, Telnet, Redis, MySQL, PostgreSQL services running on another computer
The findings come almost three months after Black Lotus Labs’ Lumen revealed that its business-class routers had been victimized to spy on victims in Latin America, Europe, and North America using a malware called HiatusRAT.
