Technology

ExCobalt Cyber Gang Unleashes GoRed Backdoor on Russia

Lilu Anderson
By Lilu Anderson
ExCobalt Cyber Gang Unleashes GoRed Backdoor on Russia | FinOracle
Photo: Finoracle.net

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

Russian organizations have come under attack from a cybercrime gang named ExCobalt. This group is using a new type of backdoor software called GoRed, written in Golang. Researchers Vladislav Lunin and Alexander Badayev from Positive Technologies have revealed that ExCobalt's focus is on cyber espionage. The group has been active since at least 2016 and is believed to have connections with the infamous Cobalt Gang, which attacked banks to steal money. In 2022, ExCobalt began using Cobalt's signature tool, CobInt.

Contents
ExCobalt Cyber Gang Targets Russian Sectors with New GoRed BackdoorTargeted Sectors and Sophisticated TechniquesTools and MethodsAdvanced CapabilitiesAdaptability and Continuous Improvement

Targeted Sectors and Sophisticated Techniques

Over the past year, ExCobalt has attacked different sectors in Russia. These sectors include:

  • Government
  • Information Technology
  • Metallurgy
  • Mining
  • Software Development
  • Telecommunications

They gain initial access by compromising contractors and executing a supply chain attack, where they infect components that companies use to build their legitimate software. This suggests a high level of sophistication in their methods.

Tools and Methods

ExCobalt uses various tools to carry out their attacks, such as:

  • Metasploit
  • Mimikatz
  • ProcDump
  • SMBExec
  • Spark RAT
  • Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586)

GoRed is a comprehensive backdoor, enabling attackers to:

  • Execute commands
  • Obtain credentials
  • Harvest details of active processes, network interfaces, and file systems

It communicates with its command-and-control (C2) server using the Remote Procedure Call (RPC) protocol.

Advanced Capabilities

GoRed also supports several background commands, allowing attackers to:

  • Watch for files of interest and passwords
  • Enable reverse shell access

The collected data is then sent to attacker-controlled infrastructure, showcasing ExCobalt's determination and high level of activity.

Adaptability and Continuous Improvement

ExCobalt is continuously adding new tools and improving techniques, showing flexibility and versatility. They supplement their toolset with modified standard utilities, helping them to bypass security controls and adapt to changes in protection methods effortlessly.

By leveraging these methods and tools, ExCobalt remains a significant threat to Russian companies, consistently evolving to stay ahead of cybersecurity measures.

TAGGED:
Share This Article
Lilu Anderson
ByLilu Anderson
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.

Related Stories

Uncover the stories that related to the post!