A new cyber threat has emerged against Russian industries with the ExCobalt cybercrime gang using a newly identified Golang-based backdoor, GoRed, to infiltrate critical sectors.
Positive Technologies researchers Vladislav Lunin and Alexander Badayev revealed these findings in a recent report, highlighting ExCobalt’s increasing sophistication and persistence.
Origins and Evolution of ExCobalt
“ExCobalt, believed to include members from the notorious Cobalt Gang, has been active since at least 2016,” said Lunin and Badayev.
“The Cobalt Gang was infamous for its attacks on financial institutions using the CobInt tool. Since 2022, ExCobalt has adopted CobInt, reflecting a continuity in threat strategies despite changes in group membership.”
Over the past year, ExCobalt has focused its efforts on a diverse range of Russian industries, including government, information technology, metallurgy, mining, software development, and telecommunications. “This widespread targeting suggests a strategic intent to disrupt critical infrastructure and steal valuable data,” the researchers noted. The gang typically gains entry through compromised contractors or sophisticated supply chain attacks, often infecting components used in legitimate software of their targets. This method reflects a high level of operational complexity and resourcefulness.
Once inside the network, ExCobalt utilizes a range of tools to execute commands and escalate privileges on compromised hosts. Among these tools are Metasploit, Mimikatz, ProcDump, SMBExec, and Spark RAT, each serving specific purposes in the infiltration process. Additionally, ExCobalt exploits several known Linux privilege escalation vulnerabilities, including CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586, to gain further control over the targeted systems.
Introducing the GoRed Backdoor
Central to these attacks is the GoRed backdoor, which has evolved through numerous iterations. As explained by Lunin and Badayev, “GoRed enables ExCobalt to execute commands, extract credentials, and gather detailed information about active processes, network interfaces, and file systems.” Communication with the command-and-control (C2) server is facilitated through the Remote Procedure Call (RPC) protocol, thereby ensuring secure and efficient data transfer.
Furthermore, “GoRed is also capable of executing background commands to monitor files and capture passwords, and it supports reverse shell access,” the researchers added. This functionality allows the attackers to maintain a persistent presence on compromised systems. The collected data is subsequently exfiltrated to infrastructure controlled by ExCobalt, demonstrating their capacity to conduct extensive data harvesting operations.
Additionally, “ExCobalt’s continuous adaptation and enhancement of their toolset, including the incorporation of modified standard utilities, showcase their ability to bypass security controls and quickly adjust to evolving defense measures,” noted Lunin and Badayev. Such flexibility and versatility in attack strategies underscore the group’s high degree of sophistication.
Check out more cybersecurity articles