Get in Touch
Indiscriminate, opportunistic attacks
The malware GobRAT has been observed in recent attacks targeting Linux based routers in Japan. The exploit makes use of public facing insecure Secure Shell (SSH) services which are then leveraged to execute various functions, such as maintaining persistence and controlling the system.
The malware works by initially executing SSH commands to the Linux based router followed by the loader script being created and used to launch the malware, which then allows remote control and monitoring of the exploited system.
This exploit highlights significant implications for Linux users who are being targeted for espionage purposes via traffic operating through the router.
Malware of this nature can be used to spy on the various traffic accessed by users on a network potentially unnoticed over a large period. This stolen information can then be sold to malicious actors for further exploitation, leading to blackmail or account compromise using stolen credentials.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as ‘GobRAT’. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.
Containment, Mitigations & Remediations
As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.
All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.
Ensuring that routers are not public facing will ensure that the attack surface is minimised as this is exploited to allow threat actors to send malicious SSH commands to the router for access.
Indicators of Compromise
GobRAT associated hashes (SHA256):
Remote administration kits (RATs) have been a prominent threat for a substantial period due to their wide range of capabilities to remotely manipulate a system in various ways, in addition to their spying features. Despite their age, they have maintained their status as a persistent threat due to the level of control threat actors are granted upon successful execution.
No attribution to specific threat actors or groups has been identified at the time of writing.
T1190 – Exploit Public-Facing Application
T1059 – Command and Scripting Interpreter
T1056 – Input Capture
Command and Control
T1090 – Proxy