ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor
Russian organizations have come under attack from a cybercrime gang named ExCobalt. This group is using a new type of backdoor software called GoRed, written in Golang. Researchers Vladislav Lunin and Alexander Badayev from Positive Technologies have revealed that ExCobalt's focus is on cyber espionage. The group has been active since at least 2016 and is believed to have connections with the infamous Cobalt Gang, which attacked banks to steal money. In 2022, ExCobalt began using Cobalt's signature tool, CobInt.
Targeted Sectors and Sophisticated Techniques
Over the past year, ExCobalt has attacked different sectors in Russia. These sectors include:
- Government
- Information Technology
- Metallurgy
- Mining
- Software Development
- Telecommunications
They gain initial access by compromising contractors and executing a supply chain attack, where they infect components that companies use to build their legitimate software. This suggests a high level of sophistication in their methods.
Tools and Methods
ExCobalt uses various tools to carry out their attacks, such as:
- Metasploit
- Mimikatz
- ProcDump
- SMBExec
- Spark RAT
- Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586)
GoRed is a comprehensive backdoor, enabling attackers to:
- Execute commands
- Obtain credentials
- Harvest details of active processes, network interfaces, and file systems
It communicates with its command-and-control (C2) server using the Remote Procedure Call (RPC) protocol.
Advanced Capabilities
GoRed also supports several background commands, allowing attackers to:
- Watch for files of interest and passwords
- Enable reverse shell access
The collected data is then sent to attacker-controlled infrastructure, showcasing ExCobalt's determination and high level of activity.
Adaptability and Continuous Improvement
ExCobalt is continuously adding new tools and improving techniques, showing flexibility and versatility. They supplement their toolset with modified standard utilities, helping them to bypass security controls and adapt to changes in protection methods effortlessly.
By leveraging these methods and tools, ExCobalt remains a significant threat to Russian companies, consistently evolving to stay ahead of cybersecurity measures.
