June 22, 2024 at 07:54AM
ExCobalt, a cybercrime gang, is targeting Russian organizations with a new Golang-based backdoor called GoRed. The group engages in cyber espionage, using various sophisticated tools to attack sectors like government, IT, metallurgy, and telecommunications. ExCobalt demonstrates a high level of activity, constantly improving techniques and flexibly adapting its toolset to bypass security controls.
From the meeting notes:
– Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed.
– ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang.
– Attacks have singled out various sectors in Russia over the past year, including government, information technology, metallurgy, mining, software development, and telecommunications.
– Initial access to environments is facilitated by taking advantage of a previously compromised contractor and a supply chain attack, suggesting a high degree of sophistication.
– The threat actor uses various tools like Metasploit, Mimikatz, ProcDump, SMBExec, Spark RAT for executing commands, and Linux privilege escalation exploits.
– GoRed is a comprehensive backdoor that allows operators to execute commands, obtain credentials, and harvest details of active processes, network interfaces, and file systems. It supports a number of background commands to watch for files of interest and passwords as well as enable reverse shell. The collected data is exported to the attacker-controlled infrastructure.
The researchers also noted that ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques.
Would you like me to summarize or analyze this information further?