Russian organizations have come under siege by a cybercriminal collective known as ExCobalt, utilizing a newly identified Golang-based backdoor called GoRed.
“ExCobalt is dedicated to cyber espionage, comprising several members active since at least 2016, and likely former affiliates of the infamous Cobalt Gang,” Positive Technologies researchers Vladislav Lunin and Alexander Badayev detailed in a technical report published this week.
“Cobalt was notorious for attacking financial institutions to pilfer funds. One of their signature tools was CobInt, which ExCobalt adopted in 2022.”
The threat actor’s assaults over the past year have targeted diverse sectors in Russia, including government, IT, metallurgy, mining, software development, and telecommunications.
Initial entry into these environments is facilitated by exploiting previously compromised contractors and engaging in supply chain attacks, where a component used to build the target company’s legitimate software is infected, indicating a high degree of sophistication.
Their modus operandi involves deploying various tools such as Metasploit, Mimikatz, ProcDump, SMBExec, and Spark RAT for executing commands on compromised hosts, along with Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586).
GoRed, which has undergone numerous iterations since its inception, is a robust backdoor enabling operators to execute commands, retrieve credentials, and gather details about active processes, network interfaces, and file systems. It leverages the Remote Procedure Call (RPC) protocol to communicate with its command-and-control (C2) server.
Additionally, it supports various background commands to monitor files of interest and passwords, and it can enable a reverse shell. The collected data is subsequently exfiltrated to attacker-controlled infrastructure.
“ExCobalt continues to exhibit high activity levels and determination in targeting Russian companies, consistently augmenting their arsenal with new tools and refining their techniques,” the researchers noted.
“Moreover, ExCobalt displays adaptability and versatility by integrating modified standard utilities into their toolkit, aiding them in bypassing security controls and adjusting to evolving protection methods.”
