GoRed Backdoor

Russian organizations have been attacked by a cybercrime group known as ExCobalt, which employs a newly discovered Golang-based backdoor called GoRed.

ExCobalt specializes in cyber espionage and comprises several members who have been active since at least 2016, likely originating from the infamous Cobalt Gang. The Cobalt Gang was notorious for targeting financial institutions to take money, and one of their signature tools was CobInt. ExCobalt adopted the use of CobInt in 2022.

Numerous Damaging Tools Exploited in Attacks against Targets

Over the past year, the threat actor has targeted various sectors in Russia, including government, information technology, metallurgy, mining, software development and telecommunications.

The attackers gain initial access to environments by exploiting a previously compromised contractor and conducting a supply chain attack, where they infect a component used to build the target company's legitimate software, indicating a high level of sophistication.

Their modus operandi involves using several tools, such as Metasploit, Mimikatz, ProcDump, SMBExec, and the Spark RAT for executing commands on infected hosts, as well as Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586).

The GoRed Backdoor Provides Numerous Intrusive Actions to the Threat Actors

GoRed, which has evolved through numerous iterations since its inception, is a versatile backdoor that enables operators to execute commands, obtain credentials, and gather details about active processes, network interfaces and file systems. It utilizes the Remote Procedure Call (RPC) protocol to communicate with its Command-and-Control (C2) server.

Additionally, GoRed supports various background commands to monitor files of interest and passwords, as well as enabling a reverse shell. The gathered data is then exported to attacker-controlled infrastructure.

ExCobalt continues to show high level of activity and determination in targeting Russian companies, continually adding new tools to its arsenal and refining its techniques. Moreover, ExCobalt demonstrates flexibility and adaptability by incorporating modified standard utilities into its toolset, allowing the group to easily bypass security controls and adjust to changes in protection methods.

Backdoor Malware Infections could Lead to Severe Consequences

An infection with a backdoor malware can have severe consequences for its victims, leading to:

• Unauthorized Access: Backdoors allow attackers to obtain unauthorized access to the infected system or network. This can end up with the theft of personal information that may inlude personal data, financial records, intellectual property or classified government information.
• Data Theft and Espionage: Attackers can exfiltrate data from the compromised system, leading to potential data breaches. This harvested information can be sold on the Dark Web, used for identity theft or exploited for competitive advantage by rival organizations.
• Persistent Surveillance: Backdoors often enable persistent surveillance by allowing attackers to monitor user activity, capture keystrokes, log passwords and observe network traffic. This surveillance can compromise the confidentiality and privacy of individuals and organizations.
• System Manipulation: Attackers may manipulate the compromised system for harmful purposes, such as launching further attacks (e.g., distributing spam or launching DDoS attacks), altering or deleting data or disrupting critical services.
• Damage to Reputation and Trust: A breach caused by backdoor malware can damage an organization's reputation and erode customer trust. Organizations may face legal and regulatory repercussions, especially if they do not protect sensitive data adequately.
• Financial Losses: Remediation efforts, including forensic investigations, system repairs, and potential legal fees, can lead to significant financial losses for affected organizations. Moreover, downtime and productivity losses can impact revenue and operational efficiency.
• Operational Disruption: A backdoor malware can cause significant operational disruptions, ranging from service outages to compromised network integrity. This can affect daily operations and potentially lead to loss of business opportunities.
• Long-Term Compromises: If undetected or not properly remediated, backdoors can persistently compromise systems, allowing attackers ongoing access and control. This long-term compromise can extend the impact and deepen the severity of the consequences over time.

In summary, an infection with backdoor malware poses serious risks to victims, encompassing financial, operational, reputational, and legal repercussions. Preventative measures such as robust cybersecurity practices, regular audits, and employee training are crucial to mitigate these risks and protect against such threats.