The backdoor allows you to execute commands remotely and collect data.
The expert center Positive Technologies (PT ESC) has identified a previously unknown backdoor written in the Go language, which is used by the cybercrime group ExCobalt to attack Russian organizations.
In March 2024, during the investigation of the incident, PT ESC specialists discovered a suspicious file called scrond, compressed using the UPX (Ultimate Packer for eXecutables) packer, on one of the client's Linux nodes. Package paths containing the substring red. team/go-red/were found in the data of an unpacked sample written in Go. This suggested that the sample is a proprietary GoRed tool. During the analysis, it turned out that various versions of GoRed had previously been encountered when responding to incidents with other customers.
Further analysis showed that this tool is associated with the ExCobalt group, which PT ESC described in November last year. ExCobalt is known for its attacks on Russian companies in the fields of metallurgy, telecommunications, mining, IT and the public sector. The group is engaged in cyber espionage and data theft.
The new backdoor, called GoRed, has many features, including remote command execution, collecting data from compromised systems, and using various methods of communicating with C2 servers (Command and Control).
A study by Positive Technologies showed that ExCobalt continues to actively attack Russian companies, constantly improving its methods and tools. The GoRed backdoor expands for more sophisticated and stealthy attacks and cyber espionage. Attackers demonstrate flexibility by using modified tools to circumvent security measures, which indicates their deep understanding of vulnerabilities in the company's infrastructure.
The development of ExCobalt highlights the need for continuous improvement of protection and attack detection methods to counter such cyber threats. Experts note that members of the group demonstrate a high degree of professionalism and adaptability, which makes their attacks especially dangerous.
The expert center Positive Technologies (PT ESC) has identified a previously unknown backdoor written in the Go language, which is used by the cybercrime group ExCobalt to attack Russian organizations.
In March 2024, during the investigation of the incident, PT ESC specialists discovered a suspicious file called scrond, compressed using the UPX (Ultimate Packer for eXecutables) packer, on one of the client's Linux nodes. Package paths containing the substring red. team/go-red/were found in the data of an unpacked sample written in Go. This suggested that the sample is a proprietary GoRed tool. During the analysis, it turned out that various versions of GoRed had previously been encountered when responding to incidents with other customers.
Further analysis showed that this tool is associated with the ExCobalt group, which PT ESC described in November last year. ExCobalt is known for its attacks on Russian companies in the fields of metallurgy, telecommunications, mining, IT and the public sector. The group is engaged in cyber espionage and data theft.
The new backdoor, called GoRed, has many features, including remote command execution, collecting data from compromised systems, and using various methods of communicating with C2 servers (Command and Control).
A study by Positive Technologies showed that ExCobalt continues to actively attack Russian companies, constantly improving its methods and tools. The GoRed backdoor expands for more sophisticated and stealthy attacks and cyber espionage. Attackers demonstrate flexibility by using modified tools to circumvent security measures, which indicates their deep understanding of vulnerabilities in the company's infrastructure.
The development of ExCobalt highlights the need for continuous improvement of protection and attack detection methods to counter such cyber threats. Experts note that members of the group demonstrate a high degree of professionalism and adaptability, which makes their attacks especially dangerous.
