Introduction
While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.
ExCobalt focuses on cyberespionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt gang. Cobalt attacked financial institutions to steal funds. One of Cobalt's hallmarks was the use of the CobInt tool, something ExCobalt began to use in 2022.
Over the past year, the PT ESC has recorded attacks linked to ExCobalt and investigated related incidents at Russian organizations in the following sectors:
- Metallurgy
- Telecommunications
- Mining
- Information technology
- Government
- Software development
This article discusses ExCobalt's new tool, GoRed, how it evolved, and some of the tactics, techniques, and procedures that the group has used in its attacks.
The investigation begins
While investigating an incident recorded in March 2024 on one of our client's Linux hosts, we discovered a file named scrond, compressed with UPX (Ultimate Packer for eXecutables).
The data in an unpacked sample, written in Go, included package paths containing the substring "red.team/go-red/". This fact suggests that this sample is a proprietary tool called GoRed.
After investigating the site, we were unable to find any significant links to malicious activity. Therefore, we can assume that the red.team domain found in the GoRed strings is a local repository with penetration testing tools.bsp;longer actively used by its creators. All the information dates back to 2019, and the design is typical of many similar sites.
As for the GoRed backdoor, the following key features can be identified:
- Operators can connect to the backdoor and execute commands, similar to other C2 frameworks like Cobalt Strike or Sliver.
- GoRed uses the RPC protocol to communicate with its C2 server.
- Operators use DNS/ICMP tunneling, WSS, and QUIC to communicate with GoRed.
- GoRed can obtain credentials from compromised systems.
- It collects various types of information from compromised systems: details of active processes, host names, lists of network interfaces, file system structures, and so on.
- Operators use a variety of commands to conduct reconnaissance on the victim's network.
- GoRed serializes, encrypts, archives, and sends data it collects to a special server dedicated to storing compromised data.
For a complete technical description of GoRed, see the further section "GoRed analysis".
First version of GoRed and other malicious tools we found
As we analyzed GoRed, we found that we had already come across several versions of the backdoor while responding to incidents at several of our clients earlier. For example, in July 2023, as we were investigating an incident at a certain company, we discovered several different tools inside the attackers' directories due to an error they had made, one of tools being the original version of GoRed.
Similarly, in an October 2023 incident, we found further tools inside public directories on the attackers' network. A short name and description of each tool we found during the investigations are presented in the table below.
| 2586 | CVE-2022-2586: a Linux kernel vulnerability associated with pointer abuse in the io_uring function. This was used by the threat actor to escalate privileges and execute arbitrary code in the vulnerable system | |
| 3156.zip | CVE-2021-3156: a sudo vulnerability known as Baron Samedit. This allows a local user to execute arbitrary code with root privileges, bypassing standard security controls | |
| 4034 | Pwnkit is a local privilege escalation exploit for CVE-2021-4034. This is a vulnerability in the pkexec utility. It allows local users to escalate their privileges to root, which can lead to complete compromise of the system | |
| traceme | Local privilege escalation exploit for CVE-2019-13272. This is a vulnerability in the Linux kernel, in the ptrace component. It allows users with CAP_SYS_PTRACE privileges to escalate their privileges to root to execute arbitrary code in the system | |
| bitrix.zip | This is an archive with vote_agent.php and html_editor_action.php files, containing RCE exploits for Bitrix. It was distributed via Telegram channels in June 2022, and also mentioned in connection with the May 2023 mass defacement of Russian websites (https://habr.com/ru/companies/ruvds/articles/739898/) | |
| col | First version of the GoRed backdoor: 0.0.1 | |
| fs | fscan (https://github.com/shadow1ng/fscan/) | |
| get_wp-commentin.txt | Obfuscated PHP file | |
| run | FreeBSD file. Runs the specified executable file as root, same as the command sudo exec < specified file> | |
| set | FreeBSD file. Sets root as file owner and grants rwx (read, write, execute) permissions to it, same as the commands chown < file> 0; chmof < file> 777 | |
| install | Installs a malicious module for Apache 2.4 | |
| install[drop] | Contains a dropper with a UPX-compressed binary file that is written to /usr/local/games/w. The file’s privileges are then changed: chown root:root; chmod 4755 | |
| install[drop][upx] /usr/local/games/w | Tries to run the following command as root: (setuid(0); setgid(0); /bin/sh -c...)) |
|
| k | Contains the following set of basic network utilities and replaces the process name with [kthr]: | |
| curl | Stripped down version of curl | |
| socksd | Proxy (socks4/5 with user+pass support) | |
| shell | Bind shell | |
| host | Resolves a host’s name via the 8.8.8.8 DNS server | |
| hash | MD5/SHA-1/SHA-256 | |
| gz | Inflate/deflate functionality | |
| netcat | - | |
| kit | Shell script to install kitsune. The MEGATSUNE variable was used instead of KITSUNE. amd64.rpm-bin.link and pkg.dpkg-source.info were used as the C2s | |
| lock.zip | Part of the locker wiper ransomware repository with a read.me file in Russian inside | |
| locker | Locker from lock.zip without the configuration files | |
| m | Mettle (https://github.com/rapid7/mettle) | |
| rev | Bind shell, shares code with shell from k, renames process to [kr] | |
| sf | Binary for BSD | |
| spark | Spark RAT | |
| w.txt | PHP web shell: WSO (https://github.com/ndbrain/WSO) |
|
| wef | Variant of reverse SSH client (https://github.com/NHAS/reverse_ssh) | |
| y.txt | PHP shell: p0wny-shell | |
| knife/k | We found this file several months after the above-mentioned k, also in a public directory but in a different domain. It was also named k, and the functionality is similar, which suggests that this is simply the next version. This is a tool to control a compromised Linux server. It has extensive functionality; commands to execute are specified in the command line: | |
| sync | No handler. Causes segfault if run | |
| curl < url> | Loads content from specified URL | |
| socksd | Starts a SOCKS server | |
| netcat | No handler. Causes segfault if run | |
| host < host> | Tries to resolve the host’s name via the 8.8.8.8:53 DNS server | |
| hash < filename> | Calculates the file’s hash (MD5, SHA-1, SHA-256 are available) | |
| gz < filename> | Compresses the file | |
| shell < options> < IP address:port> | Remote shell. The command can be run with the following possible options: -l (listen to the specified address) or -c (connect to the specified address) | |
In addition to the tools obtained from the threat actors' server directories, ExCobalt used the following tools:
- Mimikatz
- ProcDump
- SMBExec
- Metasploit
- rsocx
Modified versions of standard utilities
Besides the above tools found in public directories, we came across modified versions of standard Linux utilities in several incidents, something we first saw in November 2023.
The modification of utilities serves two purposes:
1. Modified ps and htop hide an active core process of the gsocket module and related processes in terminal output.
Let's take ps as an example.
The simple_readproc function was modified.
The original code looks as follows:
The following code was added:
The is_target_proc function checks for every process whether its name is equal to any of the hardcoded names of malicious processes:
If the check returns true, the process will be hidden in the terminal output. Here's the list of the names of malicious processes hidden this way:
2. Modified ss and netstat hide the active network connection of the core module of gsocket in terminal output.
Let's take netstat as an example.
The first code modification was made in the main function.
The original code looks as follows:
First, code was added to copy all C2s from the data section to a global structure:
Second modification was in the tcp_do_one function, starting here:
Checks for the name of the malicious process and malicious connection were added to the code. If the check returns true, the process with one of the hardcoded names or network connections will be hidden:
Relation to ExCobalt
In November 2023, we discussed ExCobalt's attacks on Russian companies.
In that report, we mentioned the domain lib.rpm-bin.link, where upon directory enumeration we found many of the tools described above—including col, the first version of GoRed.
Also, in a March 2024 incident, we observed infected hosts that contacted the threat actor's servers: get.rpm-bin.link and leo.rpm-bin.link. Additionally, GoRed used a static_TransportConfig structure with the following C2s:
- leo.rpm-bin.link
- sula.rpm-bin.link
- lib.rest
- rosm.pro
In May 2023, Bi.Zone researchers released an analysis of attacks by Sneaking Leprechaun, whose tools showed some overlap with the above-mentioned files found inside the public directories.
Furthermore, our colleagues at Rostelecom-Solar in May 2024 released a report on the Shedding Zmiy activity cluster, which also correlated with ExCobalt. Case 7 in this report described the same attack and a GoRed stealer sample with a C2 at pkg.collect.net.in. This sample was designated as Bulldog Backdoor in the report.
GoRed analysis
Before we proceed to analyzing the current version of GoRed, we will provide a retrospective analysis of its evolution.
Versions we found
All the versions we found are shown in the table below.
| Version | Description |
|---|---|
| 0.0.1 |
|
| 0.0.9 |
|
| 0.0.9 |
|
| 0.0.13 |
|
| 0.0.23-10-g4528ef3 |
|
| 0.1.3-4-g68c293d | This version is mentioned only in the Solar report; we have not come across it. |
| 0.1.3-62-g4843e53 |
|
| 0.1.4 | No changes found from previous version. |
This article examines the current version, 0.1.4.
Internal packages
First, we will describe the structure of the internal packages and their purpose to give you an understanding of GoRed functionality. In the backdoor's data, we have found the following package paths containing the substring "red.team/go-red/":
| Package | Purpose |
|---|---|
| red.team/go-red/config/ | Retrieval of the internal and transport configurations |
| red.team/go-red/bb/ | Processing of an operator's commands |
| red.team/go-red/birdwatch/ | Monitoring of the file system |
| red.team/go-red/gecko/ | Protocol for communication between GoRed and its C2 |
| red.team/go-red/backend/ | Connecting to a data exfiltration server |
| red.team/go-red/collector/ | Collecting system information |
| red.team/go-red/util/ | Various auxiliary utilities |
| red.team/go-red/packer/ | Data packing |
| red.team/go-red/proxy/ | Proxy mode operation |
| red.team/go-red/revshell/ | Reverse shell mode operation |
| red.team/go-red/dns/ | DNS tunneling implementation |
| red.team/go-red/icmptunnel/ | ICMP tunneling implementation |
Let's now proceed to analysis proper. Here's a simplified diagram of the control flow to give you an understanding of how it works.
1. Start of execution
The control flow relies on the command line interface (CLI). However, before passing control to the CLI, the backdoor initializes a number of commands, which are described below.
- service command
- gecko subcommand
The service command, intended for gaining persistence in the system, is initialized first. The GoRed CLI command structure looks as follows:
struct cli_Command
{
string Name;
_slice_string Aliases;
string Usage;
string UsageText;
string Description;
string ArgsUsage;
string Category;
PTR_cli_BashCompleteFunc BashComplete;
PTR_cli_BeforeFunc Before;
PTR_cli_AfterFunc After;
PTR_cli_ActionFunc Action;
PTR_cli_OnUsageErrorFunc OnUsageError;
_slice__ptr_cli_Command Subcommands;
_slice_cli_Flag Flags;
cli_FlagCategories flagCategories;
bool SkipFlagParsing;
bool HideHelp;
bool HideHelpCommand;
bool Hidden;
bool UseShortOptionHandling;
string HelpName;
_slice_string commandNamePath;
string CustomHelpTemplate;
cli_CommandCategories categories;
bool isRoot;
cli_separatorSpec separator;
};
In terms of command identification, the most helpful fields in this structure are the following:
- Name: command name
- Usage: command description
- Action: function called when the command is executed
- Subcommands: subcommands for the current command
Next, the structure of the CLI itself is initialized into the variable app.
The app structure looks as follows:
struct cli_App
{
string Name;
string HelpName;
string Usage;
string UsageText;
string ArgsUsage;
string Version;
string Description;
string DefaultCommand;
_slice__ptr_cli_Command Commands;
_slice_cli_Flag Flags;
bool EnableBashCompletion;
bool HideHelp;
bool HideHelpCommand;
bool HideVersion;
cli_CommandCategories categories;
cli_FlagCategories flagCategories;
PTR_cli_BashCompleteFunc BashComplete;
PTR_cli_BeforeFunc Before;
PTR_cli_AfterFunc After;
PTR_cli_ActionFunc Action;
PTR_cli_CommandNotFoundFunc CommandNotFound;
PTR_cli_OnUsageErrorFunc OnUsageError;
PTR_cli_InvalidFlagAccessFunc InvalidFlagAccessHandler;
time_Time Compiled;
_slice__ptr_cli_Author Authors;
string Copyright;
io_Reader Reader;
io_Writer Writer;
io_Writer ErrWriter;
PTR_cli_ExitErrHandlerFunc ExitErrHandler;
map_string_interface_ Metadata;
PTR_func_map_string_string ExtraInfo;
string CustomAppHelpTemplate;
string SliceFlagSeparator;
bool DisableSliceFlagSeparator;
bool UseShortOptionHandling;
bool Suggest;
bool AllowExtFlags;
bool SkipFlagParsing;
bool didSetup;
cli_separatorSpec separator;
_ptr_cli_Command rootCommand;
};
Here, too, the most informative fields for identifying commands are as follows:
- Name: current command name
- Action: function called
- Commands: subcommands for the current command
The Commands field for the app structure is also initialized.
Next, the Logging field is retrieved from the embedded_Config structure described in the section below. After this, the control flow moves to the CLI.
2. Gaining persistence in the system
The first command to be executed is service. It achieves persistence in the system. It can be executed with the following options:
| Option | Purpose |
|---|---|
| no-service | Simply proceeds to executing CLI commands |
| uninstall | Removes the service |
| restart | Restarts the service |
If there are no options from the table above, it gains persistence as a service with the name it received as an argument. To maintain presence in the compromised system, it creates environment variables whose names begin with "BB", for example:
- BB_WS
- BB_QUIC
- BB_ICMP
- BB_DNS
- BB_START_DELAY
3. Initializing beacon mode
The control flow is then transferred to the gecko command. This command is the entry point for GoRed to run in beacon mode.
It can be executed with the following options:
| Option | Purpose |
|---|---|
| wss | Use the corresponding protocol for communication between the operator and GoRed |
| quic | |
| icmp | |
| dns | |
| background | Run the command in the background |
| start-delay | Add delay in communications with the C2 |
Depending on the protocol received as an option, the command fetches the C2 from the transport configuration whose structure is described in the section below. It then begins initializing the beacon functionality.
To identify the victim, the malware first generates an ID, which is an MD5 hash of the computer's MAC addresses and name, similarly to the case described in our Hellhounds: Operation Lahat article. The resulting hash sum is added to a field in the client structure, which stores all data required for communication with the C2.
4. Establishing an initial connection
After GoRed is initialized, it needs to connect to its C2. The number of connection attempts is defined in the backoff package.
The execution flow calls the function that registers the beacon functionality, after which the CLI commands are initialized.
Registration uses the RPC protocol. Data in the model_Beacon structure is sent to the server, and data in the model_Auth structure is used for authentication with the server.
struct model_RegisterBeaconRequest
{
model_Beacon Beacon;
model_Auth Auth;
};
struct model_Beacon
{
string ID;
string Hostname;
string ClientIPs;
_slice_string Tags;
string OS;
string Username;
};
struct model_Auth
{
string Token;
uuid_UUID ClientID;
string Transport;
};
The fields in these structures have the following purposes:
| Field | Purpose | |
|---|---|---|
| Beacon | The structure containing victim information | |
| Field | Purpose | |
| ID | Victim's ID | |
| Hostname | Victim's hostname | |
| ClientIPs | Victim's IP addresses | |
| Tags | Victim's tag | |
| OS | Victim's operating system | |
| Username | Victim's username | |
| Auth | The structure containing authentication data | |
| Field | Purpose | |
| Token | Authentication token | |
| ClientID | Client ID | |
| Transport | Protocol being used | |
After registering, GoRed runs the birdwatch command to monitor the file system.
The execution flow then sets a GoRed beacon mode heartbeat period (for signaling to C2).
The execution flow then runs a command to monitor the password file stored in /etc/shadow/.
Finally, the execution flow initializes all available commands and goes into heartbeat mode.
5. Entering listen and execute mode
At the final stage of initialization, GoRed starts listening for the operator's commands that it previously initialized. It can execute both system and built-in commands. Commands can be set to run in the background.
6. Communications in beacon mode
GoRed uses the RPC protocol to communicate with its C2 in beacon mode.
It registers a custom codec to communicate via RPC.
The registered codec serializes data with CBOR and encrypts with AES-256-GCM (Secret field in embedded_Config) when sending, and does the reverse when receiving.
Configurations
GoRed contains two configuration blocks: built-in and transport.
Built-in configuration
This is the configuration of GoRed itself. It is encoded in Base64 and serialized with msgpack.
For versions 0.0.23-10-g4528ef3 through 0.1.4, the structure of the built-in configuration is as follows:
struct embedded_Config
{
string Logging;
string Token;
uuid_UUID UserID;
uuid_UUID ClientID;
string ClientKey;
string Version;
_slice_string Tags;
_slice_string Args;
string Secret;
_ptr_url_URL BackendAddress;
_ptr_url_URL ProxyAddress;
};
The purposes of the built-in configuration fields are as follows:
| Field | Purpose |
|---|---|
| Logging | Logging and log format:
|
| Token | Generated JWT for RPC |
| UserID | UUID for the payload field in the JWT (when using RPC) |
| ClientID | Unique identifier for the exfiltrated data of the victim |
| ClientKey | HS256 key needed to generate the JWT when exfiltrating data |
| Version | GoRed version |
| Tags | Victim's tag |
| Args | GoRed arguments |
| Secret | AES-256-GCM key for encrypting or decrypting the data transmitted or received via RPC |
| BackendAddress | Address of a dedicated server for data exfiltration |
| ProxyAddress | List of proxy addresses for data exfiltration |
Configuration structure for versions 0.0.9 through 0.0.13.
struct embedded_Config
{
bool Debug;
string Token;
uuid_UUID ClientID;
string ClientKey;
string Version;
_slice_string Tags;
string Secret;
string BasicAuthLogin;
string BasicAuthPass;
_ptr_url_URL BackendAddress;
_ptr_url_URL ProxyAddress;
};
The fields in this version of the built-in configuration have the following purposes:
| Field | Purpose |
|---|---|
| Debug | Logging and log format:
|
| BasicAuthLogin | Login for authentication when using the curl command |
| BasicAuthPass | Password for authentication when using the curl command |
Built-in configuration for version 0.0.1.
struct embedded_Config
{
bool Debug;
uuid_UUID ClientID;
string ClientKey;
string Version;
_ptr_url_URL BackendAddress;
};
Golang script for getting built-in configuration fields:
package main
import (
"encoding/base64"
"fmt"
"net/url"
"github.com/google/uuid"
"github.com/vmihailenco/msgpack/v5"
)
type embedded_Config struct {
Logging string
Token string
UserID uuid.UUID
ClientID uuid.UUID
ClientKey string
Version string
Tags []string
Args []string
Secret string
BackendAddress* url.URL
ProxyAddress* url.URL
}
const config = `...`
func main() {
var item map[string]any
data, _ : = base64.StdEncoding.DecodeString(config)
err : = msgpack.Unmarshal(data, &item)
if err != nil{
panic(err)
}
fmt.Print("Logging: ")
fmt.Println(item["Logging"])
fmt.Print("Token: ")
fmt.Println(item["Token"])
fmt.Print("UserID: ")
fmt.Println(uuid.UUID(item["UserID"].([]byte)))
fmt.Print("ClientID: ")
fmt.Println(uuid.UUID(item["ClientID"].([]byte)))
fmt.Print("ClientKey: ")
fmt.Println(item["ClientKey"])
fmt.Print("Version: ")
fmt.Println(item["Version"])
fmt.Print("Tags: ")
fmt.Println(item["Tags"])
fmt.Print("Args: ")
fmt.Println(item["Args"])
fmt.Print("Secret: ")
fmt.Println(item["Secret"])
fmt.Print("BackendAddress: ")
fmt.Println(string(item["BackendAddress"].([]byte)))
fmt.Print("ProxyAddress: ")
fmt.Println(item["ProxyAddress"])
}
Python script for getting built-in configuration fields:
import msgpack
import base64
s = base64.b64decode('...')
config = msgpack.unpackb(s, raw = False)
print(config)
Transport configuration
The transport configuration looks as follows:
It has the following structure:
struct static_TransportConfig
{
static_Transport Revsh;
static_Transport RPC;
static_Transport Proxy;
};
struct static_Transport
{
_ptr_static_Address WS;
_ptr_static_Address QUIC;
_ptr_static_Address ICMP;
_ptr_static_Address DNS;
_ptr_static_Address TCP;
};
struct static_Address
{
string Domain;
string BackupIP;
signed __int64 Port;
string Proto;
};
The fields of the static_TransportConfig structure have the following purposes:
| Field | Purpose |
|---|---|
| Revsh | Reverse shell connection addresses for an operator |
| RPC | Addresses for GoRed beacon mode RPC heartbeats |
| Proxy | Addresses for running GoRed in proxy mode |
The fields of the static_Address structure have the following purposes:
| Field | Purpose |
|---|---|
| Domain | Domain to connect to |
| BackupIP | IP to connect to if the domain cannot be resolved |
| Port | Connection port |
| Proto | Connection protocol |
Communication protocols
GoRed has several protocols for communicating with the operator.
| Protocol | Implementation |
|---|---|
| ws | Implements WebSocket connection |
| quic | Implements QUIC connection |
| icmp | Implements ICMP tunneling |
| dns | Implements DNS tunneling |
DNS
DNS tunneling in GoRed can use Base64 or Base32. This option is selected during compilation.
An example of a domain used in an attack is 8E1A4QB4OGA66RPJCHL72DJGCKRMIOR8CDN3EDJBDOOAEQ3FEDQ5UQB4OGA66RP.JCHL6EDJGCKRMIOR8CDN3EDJBDLJG.rosm[.]pro.
Background commands
Background commands run continuously; some of them can be added to the background or removed, depending on the conditions in the table below.
| Command | Description |
|---|---|
| birdwatch | Watches for new files inside directories. Runs in the background by default.
|
| creds-watcher | Watches for passwords. Runs in the background by default. |
| revsh-host | Enables reverse shell mode. Runs in the background upon execution.
|
| rev-proxy | Enables reverse proxy mode via SOCKS5. Runs in the background upon execution. |
| rev-fwd | Enables reverse port forwarding mode. Runs in the background upon execution. |
Connecting in rev-proxy and rev-fwd mode
Before starting to act as a server, GoRed needs to initialize an embedded X.509 certificate, similarly to the case described in our Hellhounds: Operation Lahat. Part 2 article.
The backdoor also needs to collect information about the victim's host by executing the CollectHostInfo function shown above. This produces the structure presented below, except for the Addr field.
struct proto_HostInfo
{
string Addr;
string OS;
string Username;
string Hostname;
_slice_string IPs;
};
The fields in the structure have the following purposes:
| Field | Purpose |
|---|---|
| Addr | Address to connect to, passed to the command as a parameter |
| OS | Victim's operating system |
| Username | Victim's username |
| Hostname | Victim's hostname |
| IPs | Victim's IP addresses |
A structure to identify GoRed as a server is initialized as follows:
The initialized structure looks as follows:
struct proto_BinInfo
{
uuid_UUID ClientID;
string Token;
_slice_string Tags;
};
The fields in the structure have the following purposes:
| Field | Purpose |
|---|---|
| ClientID | Identifies the victim |
| Token | Generated JWT for RPC |
| Tags | Victim's tag |
Having received the proto_HostInfo and proto_BinInfo structures, GoRed uses their fields in a handshake message that it sends to the C2 at the address it gets from the transport configuration. The handshake message structure looks as follows:
struct proto_MsgGreeting
{
proto_ConnectionMode Mode;
string MachineID;
proto_BinInfo BinInfo;
_ptr_proto_HostInfo HostInfo;
};
The fields in the structure have the following purposes:
| Field | Purpose |
|---|---|
| Mode | The following modes are supported:
|
| MachineID | Victim's computer ID |
| BinInfo | Structure containing the GoRed configuration information |
| HostInfo | Structure containing victim information |
The handshake sequence used to register GoRed as a server looks as follows:
In response to the handshake message, the server sends a message with the following structure:
struct proto_MsgGreetingResponse
{
string Greeting;
_ptr_proto_BinInfo BinInfo;
_ptr_proto_HostInfo HostInfo;
};
If the Greeting field contains the string "welcome", the connection is considered successful, and GoRed starts running in server mode; if not, the connection cannot be established.
Issued commands
The operator uses the following commands to communicate with GoRed:
| Command | Description |
|---|---|
| upload | Exfiltrates files. Takes a file path as the argument |
| download | Downloads files onto the infected computer. Takes a file path as the argument |
| bg-list | Displays a list of internal background commands |
| bg-stop | Cancels an internal background command. Takes a command ID as an argument. Can be used to stop all background commands |
| stealth | Automatically sets the heartbeat frequency within a larger range for greater stealth.
|
| emit-period | Gets or sets a heartbeat frequency manually |
| conn-providers | Gets the communication protocols available in the current version of GoRed |
| info | Gets victim information:
|
| collect | Collects and exfiltrates system information. See the section below for more details |
| bb-update | Updates GoRed. Sends a GET request to the URL passed as the argument and restarts GoRed with the restart argument |
| bb-ps | Gets the status of the process passed as the argument |
| bb-cat | Reads the file passed as the argument |
| bb-find | Searches for files passed as the argument |
| bb-ls | Displays the contents of the directory passed as the argument |
| bb-mkdir | Creates the directory passed as the argument |
| bb-pwd | Returns the full path of the current directory |
| bb-rm | Deletes the file passed as the argument |
| bb-wc | Collects information about the file passed as the argument:
|
| bb-nmap | Scans the network. Takes a host IP as the argument |
| bb-ping | Pings an external host. Takes an IP as the argument |
| bb-wget | Gets files via HTTP. Takes two arguments: the source URL and the output filename specified after the —output option |
| bb-curl | Similar to curl, but with limited functionality |
collect
Since this command collects system information and data for subsequent exfiltration, we decided to describe it in more detail:
| Option | Purpose |
|---|---|
| local-archive | Selects a compression algorithm: tar or gzip |
| skip-trees | Skips collecting file system structure information |
| skip-files | Skips collecting files |
| exec-timeout | Sets a time period for collecting files |
Collected information
An example of the code used to collect information is shown below.
A complete list of collected information is provided in the table below.
| File | Contents |
|---|---|
| processes.json | List of processes |
| envvars.json | List of environment variables |
| host.json | Information about the processor, RAM, installed OS, user name, group name |
| network_interfaces.json | List of network interfaces |
| netstats.json | List of active network connections |
| *.txt | Files that will be collected depending on the values of the fields in the model_CollectionConfig structure |
| hardware.json | Hardware information |
| trees.json | File system structure |
Exfiltration
Before the data is sent, it is serialized with msgpack and encrypted with AES-256-GCM (Secret field in embedded_Config).
Next, after archiving the data, the backdoor sends it with a POST request to a URL generated by appending "/api/collection-result" to the BackendAddress field in embedded_Config.
It is also possible to update the model_CollectionConfig structure by sending a GET request to a URL generated by appending "/api/config" to the BackendAddress field in embedded_Config.
\
The model_CollectionConfig structure is a configuration for the collect command and has the following fields:
struct model_CollectionConfig
{
_slice__slice_string Commands;
_slice_string Files;
_slice_string TreePaths;
};
The fields in the structure have the following purposes:
| Field | Purpose |
|---|---|
| Commands | bb_files_* command |
| Files | Files |
| TreePaths | Paths |
Conclusion
ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques. Not only is it developing new attack methods, but it's also actively improving its existing tools, such as the GoRed backdoor.
ExCobalt is apparently aiming for more sophisticated and productive methods of hacking and cyberespionage, seeing how GoRed has been acquiring new capabilities and features. These include expanded functionality for collecting victim data and increased secrecy both inside the infected system and in communications with C2 servers.
In addition, ExCobalt demonstrates flexibility and versatility by supplementing its toolset with modified standard utilities, which help the group to easily bypass security controls and adapt to changes in protection methods. The use of modified utilities is a sign that the members of the group have an in-depth understanding of the weaknesses of companies they attack, while leveraging vulnerabilities helps them to pursue sophisticated attacks on their targets.
Overall, the evolution of ExCobalt and its toolset, including GoRed and the modified utilities, highlights the need for organizations and cybersecurity professionals to continuously improve detection and protection techniques to combat this group as well as other similar cyberthreats.