The ExCobalt group is back on the scene and has acquired a new backdoor on Go
The thread that led us to GoRed
During the investigation of one of the incidents, which was recorded in March on one of our client's Linux nodes, we discovered a file called scrond“covered” UPX . The sample was written in Go. After unpacking, we found package paths containing the substring red.team/go-red/Based on this data, we assumed that we were dealing with some proprietary tool with the code name GoRed.
When studying the site, we were unable to identify any significant connections with malicious activity, so we thought that the domain red.teamfound in the GoRed lines, is a local repository with penetration testing utilities.
Looking ahead a bit, we will say that the GoRed backdoor is equipped with many functions. The most interesting of them are:
connecting the operator and executing commands, like other C2 frameworks, such as Cobalt Strike, Sliver, etc.;
obtaining credentials from compromised systems;
collecting information from compromised systems, such as data about active processes, host name, network interfaces, file system structure;
reconnaissance of the victim's network;
serialization, encryption, archiving and sending the collected data to a special server designed for their storage.
Evidence linking ExCobalt
In his previous report about ExCobalt attacks on Russian companies we mentioned the domain lib.rpm-bin.link. When enumerating its directories, we obtained many tools, including the first version of GoRed. In addition, already in the context of another incident, which also occurred this spring, we detected the activity of infected nodes that contacted the attackers' servers, namely get.rpm-bin.link And leo.rpm-bin.link. GoRed also used static_TransportConfigwhich contained the following C2:
leo.rpm-bin.link,sula.rpm-bin.link,lib.rest,rosm.pro.
In May 2023, researchers from BI.ZONE released an analysis of Sneaking Leprechaun attacks. The group's toolkit overlaps with the files found in open directories described above.
In addition, in May of this year, another one of our colleagues released a study on the Shedding Zmiy activity cluster, which is also associated with the ExCobalt group. IN seventh case their report examines the same attack and a sample of the GoRed stealer from C2 (pkg.collect.net.in), which they labeled Bulldog Backdoor.
Over the past year, the PT Expert Security Center team has detected and investigated incidents committed by ExCobalt in domestic companies in the public sector, metallurgy, telecommunications, mining and IT.
Taking GoRed apart piece by piece
You can get acquainted with the main milestones in the development of the backdoor in full reportas we will focus on the latest version – 0.1.4. First, we will describe the structure of the internal packages and their purpose – this will help to better understand the functionality of the malware.
To understand how control flow works, our team has drawn a simplified diagram.
Stage #1. Start of execution
The control flow is based on the command line (hereinafter referred to as cli). But before handing over control cliseveral commands will be initialized, described below:
The first command to be initialized will be service, which secures the system. The GoRed command structure for the cli is as follows:
From the point of view of identifying the commands being executed, the most interesting fields of this structure are the following:
Name— team name.Usage— description of the command.Action— a function that will be executed when the command is called.Subcommands— subcommands for the current command.
Next to the variable app the structure itself will be initialized cli.
Structure app presented below.
Here, the most informative fields for identifying commands are also the following:
Name— the name of the current command.Action— the function that will be executed.Commands— subcommands of the current command.
In addition, the Commands field of the structure will be initialized. app.
Afterwards the field value is obtained. Logging from structure embedded_Config. The control flow then moves to cli.
We have only looked at the start of the backdoor. The remaining stages (for those who want to dive deeper) are described in an extended study. There you can also find information about configurations GoRed (transport and built-in), its protocols communication with the operator, background and called commands.
Evolution of handwriting
Our research shows that the ExCobalt group continues to actively attack Russian companies. Cybercriminals do not stand still and are constantly adding new tools and techniques to their arsenal, while not forgetting to improve existing ones. A striking example of this is the GoRed backdoor, which has acquired new capabilities for collecting data from victims. Such signs indicate ExCobalt's desire (and willingness!) to perform more complex and effective hacks. Attackers have also learned to be more invisible when spying by increasing secrecy in the attacked systems and in communications with control servers.
Precise strikes on companies
Showing flexibility and adaptability, the group acts decisively. Thus, attackers arm themselves with patched utilities, with the help of which they can easily bypass protective measures. In addition, they meticulously search for weaknesses in the infrastructure of their intended victims and effectively exploit the discovered vulnerabilities. This approach allows them to carry out increasingly sophisticated attacks.
More reports PT Expert Security Centerdedicated to new types of malware, the activity of APT groups, techniques and tools of hackers, you can find on the blog.
Vladislav Lunin @noobxo
Senior specialist of the information security threat research department of the Positive Technologies security expert center
Alexander Badaev
Specialist in the information security threat research department of the Positive Technologies Security Expert Center
