Go-based GobRAT Targets Linux Routers in Japan

The GobRAT operation

• The attack begins with an open scan for the routers having WEBUI exposed to the public. 
• It attempts intrusion by possibly exploiting some known vulnerabilities and then initiating a chain of infection by executing several scripts.
• The first one is a Loader Script, that disables the firewall, downloads the GobRAT, and creates and executes additional scripts including a Start Script and a Daemon Script.
• The Start Script executes the GobRAT, masquerading as the Apache daemon process (apached). The Daemon Script ensures that the Start Script is running, by checking its status every 20 seconds.

Deep dive into GobRAT

• Upon infection, it scans the infected machine to obtain the IP address and MAC address, total uptime, and status of the network communication.
• In the source code, the C2 string and the Linux commands are encrypted. It uses AES128 CTR mode to decrypt the strings. 
• It supports a list of 22 commands to perform various tasks, including obtaining machine information, reading and writing files, initiating SOCKS5 socket, and executing the reverse shell. 
• It further attempts to log in to Telnet, SSHD, MySQL, Redis, and PostgreSQL services running on other machines across the network.

Concluding thoughts