June 28, 2024
ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor
Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed. "ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang," Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report

Jun 22, 2024NewsroomCyber Espionage / Threat Intelligence

Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed.

“ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang,” Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report published this week.

“Cobalt attacked financial institutions to steal funds. One of Cobalt’s hallmarks was the use of the CobInt tool, something ExCobalt began to use in 2022.”

Attacks mounted by the threat actor have singled out various sectors in Russia over the past year, including government, information technology, metallurgy, mining, software development, and telecommunications.

Initial access to environments is facilitated by taking advantage of a previously compromised contractor and a supply chain attack, wherein the adversary infected a component used to build the target company’s legitimate software, suggesting a high degree of sophistication.

The modus operandi entails the use of various tools like Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT for executing commands on the infected hosts, and Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586).

GoRed, which has undergone numerous iterations since its inception, is a comprehensive backdoor that allows the operators to execute commands, obtain credentials, and harvest details of active processes, network interfaces, and file systems. It utilizes the Remote Procedure Call (RPC) protocol to communicate with its command-and-control (C2) server.

What’s more, it supports a number of background commands to watch for files of interest and passwords as well as enable reverse shell. The collected data is then exported to the attacker-controlled infrastructure.

“ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques,” the researchers said.

“In addition, ExCobalt demonstrates flexibility and versatility by supplementing its toolset with modified standard utilities, which help the group to easily bypass security controls and adapt to changes in protection methods.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.