BlackRota Backdoor

BlackRota is a backdoor threat written in the Go programming language. BlackRota exploits an unauthorized-access vulnerability found in the Docker Remote API. The threat is capable of compromising both 64-bit and 86-bit architectures but works only on Linux systems. A unique feature of BlackRota is the heave-level of obfuscation that has been implemented by the hackers responsible for the threat. It is extremely rare for malware written in Go to feature such intensive obfuscation measures. In fact, the infosec researchers who analyzed BlackRota state that it is the most obfuscated Go malware they have encountered to date.

After infiltrating its target, BlackRota establishes what the researchers called a 'geacon.' It represents a beacon through which the malware communicates with its Command-and-Control server to receive commands and exfiltrates gathered data. The particular beacon implemented in BlackRota has been previously observed to be used by CobaltStrike, a malware tool used by threat actors to spread ransomware. Among the threatening functionalities available to BlackRota is the ability to execute shell commands, browser, upload and download files from the compromised system, change directories or set a sleep delay timer.

To deter any potential researchers from reverse-engineering it, BlackRota employs several obfuscation techniques. First, it leverages an open-source tool for code written in Go named gobfuscate, resulting in various elements of the underlying code of the malware such as global variable and package names, method names, type names, and function names being hidden behind random character substitutions. The same gobfuscate app is also responsible for encoding all strings of the code with the XOR cryptographic cipher. Each BlackRota string is dynamically decoded during execution.

Analyzing Go-written code presents challenges in and of itself due to the way binary files are built. The use of fully static libraries means that the corresponding binary files reach comparatively large sizes. When researchers open such a file in a disassembly tool, they are presented with potentially tens of thousands of functions, which, if the corresponding symbolics are lacking, could tremendously increase the time needed to reach acceptable analysis.