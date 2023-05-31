Linux routers in Japan I’m the target of a new remote access trojan programmed with Golang language called GobRAT.

What data causes GobRAT?

“Initially, the attacker targets a router whose WEBUI is open to the public, runs scripts possibly using vulnerabilities, and finally infects the GobRAT“, has declared the JPCERT Coordination Center (JPCERT/CC) in a report released today.

The compromise of a router exposed on the Internet is followed by the deployment of an injection script which acts as a conduit for spreading the GobRAT malware, which, once launched, masquerades as an Apache process (apached) to avoid the detection.

The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the file .ssh/authorized_keys for remote access.

GobRAT, for its part, communicates with a remote server via the Transport Layer Security protocol (TLS extension) to receive up to 22 different encrypted commands for execution.

Some of the main commands are as follows:

Get machine information

Run reverse shell

Read/write files

Configure new command-and-control protocol (C2)

To boot SOCKS5 proxies

Execute files in /zone/frpc

Trying to access sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine

These findings come nearly three months after Lumen Black Lotus Labs revealed that enterprise-grade routers have been spying on victims in Latin America, Europe and North America using a malware called Hiatus RAT.