Linux
routers
in
Japan
are
the
target
of
a
new
Golang
remote
access
trojan
(RAT)
called
GobRAT.
“Initially,
the
attacker
targets
a
router
whose
WEBUI
is
open
to
the
public,
executes
scripts
possibly
by
using
vulnerabilities,
and
finally
infects
the
GobRAT,”
the
JPCERT
Coordination
Center
(JPCERT/CC)
said
in
a
report
published
today.
The
compromise
of
an
internet-exposed
router
is
followed
by
the
deployment
of
a
loader
script
that
acts
as
a
conduit
for
delivering
GobRAT,
which,
when
launched,
masquerades
as
the
Apache
daemon
process
(apached)
to
evade
detection.
The
loader
is
also
equipped
to
disable
firewalls,
establish
persistence
using
the
cron
job
scheduler,
and
register
an
SSH
public
key
in
the
.ssh/authorized_keys
file
for
remote
access.
GobRAT,
for
its
part,
communicates
with
a
remote
server
via
the
Transport
Layer
Security
(TLS)
protocol
to
receive
as
many
as
22
different
encrypted
commands
for
execution.
Some
of
the
major
commands
are
as
follows
–
-
Obtain
machine
information -
Execute
reverse
shell -
Read/write
files -
Configure
new
command-and-control
(C2)
and
protocol -
Start
SOCKS5
proxy -
Execute
file
in
/zone/frpc,
and -
Attempt
to
login
to
sshd,
Telnet,
Redis,
MySQL,
PostgreSQL
services
running
on
another
machine
The
findings
come
nearly
three
months
after
Lumen
Black
Lotus
Labs
revealed
that
business-grade
routers
have
been
victimized
to
spy
on
victims
in
Latin
America,
Europe,
and
North
America
using
a
malware
called
HiatusRAT.