Russian organizations have been focused by a cybercrime gang known as ExCobalt utilizing a beforehand unknown Golang-based backdoor referred to as GoRed.
“ExCobalt focuses on cyber espionage and contains a number of members energetic since at the very least 2016 and presumably as soon as a part of the infamous Cobalt Gang,” Constructive Applied sciences researchers Vladislav Lunin and Alexander Badayev stated in a technical report revealed this week.
“Cobalt attacked monetary establishments to steal funds. Certainly one of Cobalt’s hallmarks was using the CobInt software, one thing ExCobalt started to make use of in 2022.”
Assaults mounted by the menace actor have singled out varied sectors in Russia over the previous yr, together with authorities, data know-how, metallurgy, mining, software program growth, and telecommunications.
Preliminary entry to environments is facilitated by taking benefit of a beforehand compromised contractor and a provide chain assault, whereby the adversary contaminated a element used to construct the goal firm’s reputable software program, suggesting a excessive diploma of sophistication.
The modus operandi entails using varied instruments like Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT for executing instructions on the contaminated hosts, and Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586).
GoRed, which has undergone quite a few iterations since its inception, is a complete backdoor that permits the operators to execute instructions, receive credentials, and harvest particulars of energetic processes, community interfaces, and file methods. It makes use of the Distant Process Name (RPC) protocol to speak with its command-and-control (C2) server.
What’s extra, it helps various background instructions to observe for recordsdata of curiosity and passwords in addition to allow reverse shell. The collected information is then exported to the attacker-controlled infrastructure.
“ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques,” the researchers stated.
“In addition, ExCobalt demonstrates flexibility and versatility by supplementing its toolset with modified standard utilities, which help the group to easily bypass security controls and adapt to changes in protection methods.”