Japanese cybersecurity experts have identified a new Trojan remote access malware called Gobrat, written in the GO language. The JPCert computer reaction center reported the attacks in a recent publication. In these attacks, routers with an open web shell for public access were targeted. The attackers used vulnerabilities to infect the routers with Gobrat. After compromising the router, the attackers launched the script-loader, which delivered Gobrat. The script-loader launches Gobrat under the guise of the Apache process, avoiding detection.
The loading script can also disconnect the firewalls, register a public SSH key and set its constancy using the Cron Planner for remote access. Gobrat communicates with a remote server on the TLS protocol. Researchers evaluated the malware examining it for 22 different commands including reading and recording files, launching targeted DDOS attacks, and entering SSHD, Telnet, Redis, MySQL, and PostgreSQL services.
Gobrat is one of the rare Trojans of remote access written in the GO language and using the GOB serialization protocol. Gobrat also uses UPX version 4 for packing and is compatible with different architectures such as ARM, MIPS, X86, and X86-64.
Jpcert has uploaded a tool to Github to emulate the Gobrat C2 server, which can help other security researchers analyze the malware. The development of such threats underscores the importance of timely detection of harmful programs that target Internet infrastructure. In March, another similar cyber-attack known as Hiatusrat was discovered targeting Draytek business routers for espionage purposes in Europe and North and Latin America.