Russian Sectors Targeted by ExCobalt Cyber Syndicate Using Fresh GoRed Backdoor
Various Russian sectors have fallen victim to the cybercriminal organization known as ExCobalt, employing a new GoRed backdoor based on the Golang programming language.
According to Positive Technologies researchers Vladislav Lunin and Alexander Badayev, “ExCobalt, focusing on cyber espionage, comprises several members who have been active since at least 2016 and were likely associated with the infamous Cobalt Gang.” The researchers made this statement in a technical report that was released this week.
“Cobalt, known for targeting financial institutions to steal funds, was notable for its utilization of the CobInt tool, a tool that ExCobalt began using in 2022.”
The attacks carried out by this threat actor have been directed at various sectors in Russia over the course of the last year, including government, IT, metallurgy, mining, software development, and telecommunications.
To gain initial access to networks, the threat actors exploit a previously compromised contractor and conduct a supply chain attack by infecting a component used in building legitimate software for the target company, indicating a high level of sophistication.
The operational method involves the use of various tools such as Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT to issue commands on compromised hosts, and Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586).
GoRed, evolving through several versions since its inception, is an extensive backdoor that enables operators to execute commands, steal credentials, and gather information on active processes, network interfaces, and file systems. It leverages the Remote Procedure Call (RPC) protocol to communicate with its command-and-control (C2) server.
Furthermore, this backdoor supports various commands in the background to monitor for interesting files and passwords and enables the activation of a reverse shell, with all collected data being sent to the attacker’s infrastructure.
Researchers stated, “ExCobalt remains highly active and determined in its assaults on Russian corporations, continuously augmenting its arsenal with new tools and enhancing its methodologies.”
“Moreover, ExCobalt showcases flexibility and adaptability by supplementing its toolset with customized standard utilities, aiding the group in easily circumventing security measures and adjusting to evolving protection mechanisms.”
About Author
