Gruppo ECP Advpress Automationtoday AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit Gruppo ECP Advpress Automationtoday AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Expanding cyber threat: GobRAT targets Linux routers in Japan

Attack detected by JPCERT Coordination Center compromises router security, obfuscating malware as Apache process and establishing dangerous remote access

Gruppo ECP

WE TURN YOUR GOALS INTO REALITY
Your competitive advantage starts here
DISCOVER HOW

Gruppo ECP

WE TURN YOUR GOALS INTO REALITY
Your competitive advantage
starts here
DISCOVER HOW

This pill is also available in Italian language

The cybersecurity world has recently been rocked by a new remote access trojan, written in Golang and known as GobRAT. This insidious software targets Linux routers in Japan, and its initial attack strategy involves locating a router whose WEBUI is freely accessible to the public. The trojan then exploits potential vulnerabilities to execute malicious scripts, eventually infecting the system with GobRAT. This finding was reported by the JPCERT Coordination Center (JPCERT/CC) in a report released today.

Attack techniques and procedures: how GobRAT works

Once a router exposed on the Internet is compromised, the attack continues with the launch of a script loader. This acts as a conduit for GobRAT delivery and, when activated, masquerades as the Apache daemon process (apached) to avoid detection. The loader has the ability to disable firewalls and establish persistence using the cron task scheduler. It can also register an SSH public key in the .ssh/authorized_keys file to grant remote access.

GobRAT features: commands and remote communication

GobRAT does not act in isolation, but maintains a link with a remote server. The communication occurs through the transport layer security protocol (TLS), which allows the trojan to receive up to 22 different encrypted commands to execute. Key commands include getting machine information, running a reverse shell, reading and writing files, configuring new control commands (C2) and protocols, starting a SOCKS5 proxy , executing files in /zone/frpc, and trying to access sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine.

Background and implications: a growing security problem

These findings come about three months after Lumen Black Lotus Labs revealed that enterprise-grade routers are being exploited to spy on victims in Latin America, Europe and North America via malware called HiatusRAT. The emergence of GobRAT adds another layer of complexity to the already tangled cyber security scene, underscoring the importance of keeping network infrastructures up-to-date and secure.

Follow us on Instagram for more pills like this

06/01/2023 04:46

Marco Verro

Last pills

Cloudflare repels the most powerful DDoS attack ever recordedAdvanced defense and global collaboration to tackle new challenges of DDoS attacks

Silent threats: the zero-click flaw that compromises RDP serversHidden risks in remote work: how to protect RDP servers from invisible attacks

Discovery of vulnerability in Secure Boot threatens device securityFlaw in the Secure Boot system requires urgent updates to prevent invisible intrusions

North korean cyberattacks and laptop farming: threats to smart workingAdapting to new digital threats of remote work to protect vital data and infrastructures

Don’t miss the most important news
Enable notifications to stay always updated