Japanese Linux routers are the target of a new GobRAT remote access Trojan.
GobRAT, a new Golang remote access trojan (RAT), is aimed at Linux routers in Japan.
Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT
The JPCERT Coordination Center (JPCERT/CC) said
A loader script is then used to deliver GobRAT, which, when run, impersonates the Apache daemon process (apached) to avoid detection, after an internet-exposed router has been compromised.
The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access.
Our Readers ALSO READ
The Keepass Exploit: How Attackers Can Recover Master Passwords from Memory
For its part, GobRAT uses the Transport Layer Security (TLS) protocol to connect with a remote server and obtain up to 22 distinct encrypted orders that can be executed.
Some of the major commands are as follows –
- Obtain machine information
- Execute reverse shell
- Read/write files
- Configure new command-and-control (C2) and protocol
- Start SOCKS5 proxy
- Execute file in /zone/frpc, and
- Attempt to login to sshd, Telnet, Redis, MySQL, and PostgreSQL services running on another machine
Nearly three months ago, Lumen Black Lotus Labs disclosed that business-grade routers had been exploited by HiatusRAT malware to eavesdrop on victims in Latin America, Europe, and North America.
Found this article insightful, Follow our LinkedIn and Facebook handles for more exclusive content like this.
