Man
Professional
- Messages
- 3,088
- Reaction score
- 631
- Points
- 113
Sophisticated methods of disguise did not allow the software to be detected for many years.
The Solar 4RAYS Cyber Threat Research Center of the Solar Group of Companies has discovered a unique malicious program (malware) GoblinRAT with a wide range of disguise functionality. Experts identified it in the network of several Russian departments and IT companies serving the public sector. The earliest traces of infection date back to 2020. To date, this is one of the most sophisticated and stealthy attacks that Solar 4RAYS specialists have faced.
The first detection of GoblinRAT occurred in 2023 during the investigation of an incident in an IT company that provides services mainly to the authorities. The organization's in-house information security specialists noticed the facts of deleting system logs on the server and downloading a utility for stealing passwords from accounts from a domain controller. After attracting specialists and a lengthy search, a code was found that disguised itself as the process of a legitimate application. The parameters of the malicious process did not stand out in any way, and the file that launched it differed from the legitimate one by only one letter in the name. Such a detail could only be noticed by manually analyzing thousands of megabytes of data.
Further analysis showed that GoblinRAT lacked auto-pin functions: the attackers first carefully studied the features of the target infrastructure and only then introduced the malware under a unique disguise, always under the guise of one of the applications running on a specific attacked system. Experts are convinced that this clearly indicates the targeted nature of the attack.
Solar noted that with the help of this software, the attackers gained full control over the victims' infrastructure. The operators of the GoblinRAT had unlimited access to the attacked infrastructures and were able to steal, modify, and destroy any information on the available servers.
The malware was found in four organizations. In one of the attacked infrastructures, the attackers had access for three years, and the shortest attack lasted about six months. The company does not disclose the specific attacked departments, pointing only to "the authorities and their IT contractors".
To control the malware, the attackers used legitimate compromised sites, including the online retailer's website. Colleagues from other information security companies with global sensor networks did not find anything similar in their collections, the company claims. The key issue remains the attribution of the attack: no artifacts indicating the origin of the malware have been found. The expert notes that neither Asian nor Eastern European groups, nor groups from other regions have demonstrated such tools, but it is obvious that the creators of the GoblinRAT have a high level of professionalism and serious motivation.
Source
The Solar 4RAYS Cyber Threat Research Center of the Solar Group of Companies has discovered a unique malicious program (malware) GoblinRAT with a wide range of disguise functionality. Experts identified it in the network of several Russian departments and IT companies serving the public sector. The earliest traces of infection date back to 2020. To date, this is one of the most sophisticated and stealthy attacks that Solar 4RAYS specialists have faced.
The first detection of GoblinRAT occurred in 2023 during the investigation of an incident in an IT company that provides services mainly to the authorities. The organization's in-house information security specialists noticed the facts of deleting system logs on the server and downloading a utility for stealing passwords from accounts from a domain controller. After attracting specialists and a lengthy search, a code was found that disguised itself as the process of a legitimate application. The parameters of the malicious process did not stand out in any way, and the file that launched it differed from the legitimate one by only one letter in the name. Such a detail could only be noticed by manually analyzing thousands of megabytes of data.
Further analysis showed that GoblinRAT lacked auto-pin functions: the attackers first carefully studied the features of the target infrastructure and only then introduced the malware under a unique disguise, always under the guise of one of the applications running on a specific attacked system. Experts are convinced that this clearly indicates the targeted nature of the attack.
Solar noted that with the help of this software, the attackers gained full control over the victims' infrastructure. The operators of the GoblinRAT had unlimited access to the attacked infrastructures and were able to steal, modify, and destroy any information on the available servers.
The malware was found in four organizations. In one of the attacked infrastructures, the attackers had access for three years, and the shortest attack lasted about six months. The company does not disclose the specific attacked departments, pointing only to "the authorities and their IT contractors".
To control the malware, the attackers used legitimate compromised sites, including the online retailer's website. Colleagues from other information security companies with global sensor networks did not find anything similar in their collections, the company claims. The key issue remains the attribution of the attack: no artifacts indicating the origin of the malware have been found. The expert notes that neither Asian nor Eastern European groups, nor groups from other regions have demonstrated such tools, but it is obvious that the creators of the GoblinRAT have a high level of professionalism and serious motivation.
Source
