GoBot2 is a backdoor Trojan that is written in Google's Go programming language, which is fairly new so that not that many cyber criminals opt to use it when creating malware. It is an open-source project, which means that anyone can obtain the code and create a new variant of this backdoor Trojan.
Attacks Targeting South Korea
Recently, a variant of the GoBot2 called GoBotKR was employed in an attack targeting South Korean users. The goal of the GoBotKR was to infect and hijack as many machines as possible, which the attackers would go on to use as a botnet enabling them to launch DDoS (Distributed-Denial-of-Service) attacks or even use them to mine various cryptocurrencies.
The GoBot2 Trojan is able to gather data regarding the compromised system. This helps the attackers decide how to act once they have gained access to the system. The GoBot2 Trojan siphons system information such as the username, OS version, installed software, hardware information, anti-malware tools, and network configuration straight to the server of the attackers. Furthermore, The GoBot2 backdoor has a long list of capabilities such as:
- Launching websites.
- Shutting down the PC.
- Executing DDoS attacks.
- Updating itself.
- Terminating itself.
- Launching a keylogger.
- Downloading files.
- Executing downloaded files.
- Controlling running processes.
To gain persistence, the GoBot2 backdoor may tamper with the Windows Registry. Additionally, the GoBot2 Trojan may often disguise its presence on the infected host by using an executable & process names identical to the ones used by credible audio and video drivers, or system processes.
Note that these are the basic capabilities of the GoBot2 backdoor Trojan. As an open-source project, if the GoBot2 Trojan falls into the hands of skilled cybercriminals, this threat could be further weaponized and become an even more dangerous threat. This is why it is crucial that you download and install a reputable anti-malware tool and make sure to update it regularly.