Japanese Linux routers are the target of a new GobRAT remote access Trojan.
GobRAT, a new Golang remote access trojan (RAT), is aimed at Linux routers in Japan.
Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT
The JPCERT Coordination Center (JPCERT/CC) said
A loader script is then used to deliver GobRAT, which, when run, impersonates the Apache daemon process (apached) to avoid detection, after an internet-exposed router has been compromised.
The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access.
Our Readers ALSO READThe Keepass Exploit: How Attackers Can Recover Master Passwords from Memory
For its part, GobRAT uses the Transport Layer Security (TLS) protocol to connect with a remote server and obtain up to 22 distinct encrypted orders that can be executed.
Some of the major commands are as follows –
- Obtain machine information
- Execute reverse shell
- Read/write files
- Configure new command-and-control (C2) and protocol
- Start SOCKS5 proxy
- Execute file in /zone/frpc, and
- Attempt to login to sshd, Telnet, Redis, MySQL, and PostgreSQL services running on another machine
Nearly three months ago, Lumen Black Lotus Labs disclosed that business-grade routers had been exploited by HiatusRAT malware to eavesdrop on victims in Latin America, Europe, and North America.