To execute commands on the compromised systems, the modus operandi involves using a variety of tools, including Linux privilege escalation exploits (CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586) and Metasploit, Mimikatz, ProcDump, SMBExec, and Spark RAT. With multiple modifications since its creation, GoRed is a feature-rich backdoor that gives users the ability to run commands, get credentials, and gather information about running processes, network interfaces, and file systems. Its command-and-control (C2) server is communicated via the Remote Procedure Call (RPC) protocol.

Additionally, it supports several background commands to enable reverse shell and search for interesting files and passwords. After that, the data is exported to the infrastructure under the control of the attacker. ExCobalt keeps displaying a high degree of activity and tenacity in its attacks against Russian businesses, continuously enhancing its tactics and acquiring new weapons for its collection. Furthermore, ExCobalt exhibits adaptability and flexibility by adding customized standard utilities to its toolkit. This allows the organization to simply get around security measures and adjust to changes in defense strategies.

Impact

• Privilege Escalation
• Information Theft
• Cyber Espionage
• Command Execution
• Financial Loss

Indicators of Compromise

Domain Name

• leo.rpm-bin.link
• lib.rest
• rosm.pro
• sula.rpm-bin.link
• mtp.upd-rk.net
• get.upd-rk.net
• src.setup.mom
• wired.setup.mom
• get.rpm-bin.link

IP

• 193.37.71.75
• 45.147.200.165
• 188.127.225.231
• 75.119.130.76
• 135.125.107.221

MD5

• 64db61efc8acf370b91110b6f93d4dce
• 63f6de3c86de55172b147b947f29c808
• d3cd9d9bad6450e8fd4fd2e972639c69
• cad5cb82baccd1f28e381e5c924f204a
• 6f6e7fe49a8d5696f389e202d3b8c7e2
• b5dc9a67f76fa18784b51fd3c5b9607c
• caf68b393d56548074b9434564cb0625
• 0385b0f83dbfc99c243ff066e3fe3cb2
• 7dc1e49f1664af70d85d31af70f29071
• fc3b7f47958f6c1c6a93a2f2f970734c
• ad5c0363e7e28c69007f891fbc3dd030

SHA-256

• f43c99ef85166774ed47cad96c70b8273aa82c313e55bb08d9c74e2b3f59b000
• f91c9fd27bf0e3a7e82998721946ee70735ec46ee672ca80e3062aa2d5195447
• be246cdf932aa5b1c2ada0d74c8d1eca4028538b28fb61d7a8d930b4266fd55c
• ec36fcd64432843292d16f601a758ba4091ada906c5c4c4e540e326676911141
• 41d35016c78f86eee8972808c7de8c200ff24625639adff5b9d0ab8773fff6b4
• aca34d7c3832879f6f7ebe8f7c59160896909574c94d1d12d7c71b6f7918bc50
• 8d055f3ad4d01f601df24a7c20ded981005adef7e6d26750415d1f95a471c2e3
• 32d76f2fe1188a131cb3219356639e83c60d47a703e40b8801a364d98e37128f
• f3bb44d52e43477ce43c91eb8d9830e356fc105b96377edd6b190fcccda61e2f
• ab801eaa9ad11199e1382a124d6024f9551a5a33ca1b9e5cafc0098621abb91f
• f56b7fbc5dda7e46aff1b7753a1edb1f6fad5c8953dd3dbff30b3d8675b1dbd3

SHA-1

• a81373d92d798418109552fb91d4c407d4c37a89
• 5a504869350a4bdbcda22b09dbe7b05a7551a860
• a190448a0c01a6e58610de27d022ccba0e755f79
• 81861a853216f78219dd8cb0b4717d5d63260e7d
• 1d784e6c7d12fb7730895f21e4bfd3cde4b3900f
• de243b57b087f5d1cde50db1949aa3744f1f6b5e
• 680cb0a25e4a5148f5a1f7d3b75fad4fd345cdb0
• 4f6164321d10c7a54a54398ccc7b11c1e7390e38
• 1981f9a1d885c0ccb2d1f5910765a52d1989bc37
• 8030f2430234426ab3bdc8cdd995be7c4805d7d2
• 3dd9bd38a8f8166b1af25cb523a9a6f25b1791df

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.