GobRAT targeting Linux routers

Target Industry 

Indiscriminate, opportunistic attacks 

Overview  

The malware GobRAT has been observed in recent attacks targeting Linux based routers in Japan. The exploit makes use of public facing insecure Secure Shell (SSH) services which are then leveraged to execute various functions, such as maintaining persistence and controlling the system. 

The malware works by initially executing SSH commands to the Linux based router followed by the loader script being created and used to launch the malware, which then allows remote control and monitoring of the exploited system. 

This exploit highlights significant implications for Linux users who are being targeted for espionage purposes via traffic operating through the router. 

Impact  

Malware of this nature can be used to spy on the various traffic accessed by users on a network potentially unnoticed over a large period. This stolen information can then be sold to malicious actors for further exploitation, leading to blackmail or account compromise using stolen credentials. 

Vulnerability Detection 

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats such as ‘GobRAT’. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage. 

Affected Products 

Linux routers. 

Containment, Mitigations & Remediations 

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time. 

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats. 

Ensuring that routers are not public facing will ensure that the attack surface is minimised as this is exploited to allow threat actors to send malicious SSH commands to the router for access. 

Indicators of Compromise 

GobRAT associated hashes (SHA256): 

• 060acb2a5df6560acab9989d6f019fb311d88d5511f3eda0effcbd9fc6bd12bb 

• feaef47defd8b4988e09c8b11967e20211b54e16e6df488780e2490d7c7fa02a 
• 3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1 
• 60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3 
• a8b914df166fd0c94106f004e8ca0ca80a36c6f2623f87a4e9afe7d86b5b2e3a 
• aeed77896de38802b85a19bfcb8f2a1d567538ddc1b045bcdb29cb9e05919b60 

• 6748c22d76b8803e2deb3dad1e1fa7a8d8ff1e968eb340311fd82ea5d7277019 
• e133e05d6941ef1c2e3281f1abb837c3e152fdeaffefde84ffe25338fe02c56d 
• 43dc911a2e396791dc5a0f8996ae77ac527add02118adf66ac5c56291269527e 
• af0292e4de92032ede613dc69373de7f5a182d9cbba1ed49f589ef484ad1ee3e 
• 2c1566a2e03c63b67fbdd80b4a67535e9ed969ea3e3013f0ba503cfa58e287e3 

• 98c05ae70e69e3585fc026e67b356421f0b3d6ab45b45e8cc5eb35f16fef130c 
• 300a92a67940cfafeed1cf1c0af25f4869598ae58e615ecc559434111ab717cd 
• a363dea1efda1991d6c10cc637e3ab7d8e4af4bd2d3938036f03633a2cb20e88 
• 0c280f0b7c16c0d299e306d2c97b0bff3015352d2b3299cf485de189782a4e25 
• f962b594a847f47473488a2b860094da45190738f2825d82afc308b2a250b5fb 

• 4ceb27da700807be6aa3221022ef59ce6e9f1cda52838ae716746c1bbdee7c3d 
• 3e1a03f1dd10c3e050b5f455f37e946c214762ed9516996418d34a246daed521 
• 3bee59d74c24ef33351dc31ba697b99d41c8898685d143cd48bccdff707547c0 
• c71ff7514c8b7c448a8c1982308aaffed94f435a65c9fdc8f0249a13095f665e 

Threat Landscape 

Remote administration kits (RATs) have been a prominent threat for a substantial period due to their wide range of capabilities to remotely manipulate a system in various ways, in addition to their spying features. Despite their age, they have maintained their status as a persistent threat due to the level of control threat actors are granted upon successful execution. 

Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing.  

Mitre Methodologies 

Initial Access 

T1190 – Exploit Public-Facing Application 

Execution 

T1059 – Command and Scripting Interpreter 

Collection 

T1056 – Input Capture 

Command and Control 

T1090 – Proxy 

Further Information  

GobRAT malware written in Go language targeting Linux routers

Hive Pro Attack Report