Recent research by Positive Technologies has revealed that ExCobalt, a cyber espionage group, has been leveraging a sophisticated tool called GoRed to maintain persistent and covert communication with its command and control (C2) servers. This new technique involves the usage of DNS and ICMP tunneling to bypass network security measures undetected. The discovery highlights the evolving threat landscape where cyber adversaries continuously innovate to exploit vulnerabilities and maintain unauthorized access.
GoRed’s Advanced Tunneling Capabilities
ExCobalt, linked to the notorious Cobalt group known for targeting financial institutions, has adopted GoRed, a Go-based backdoor tool. Positive Technologies’ ESC CSIRT team identified this tool during an incident response for one of their clients. GoRed uses DNS and ICMP protocols to establish hidden communication routes for data exfiltration and receiving commands from C2 servers. This method not only helps in maintaining persistence but also avoids detection by conventional security systems.
Incident Investigations and Variants
The investigation into a compromised Linux host in March 2024 led to the identification of GoRed, compressed in a UPX file labeled scrond. Multiple variants of this backdoor have been encountered, particularly during incident responses in July and October 2023. Alongside GoRed, other tools like Mimikatz, ProcDump, SMBExec, and Metasploit were also found, indicating a complex and multi-faceted attack strategy by ExCobalt. These tools collectively enhance the group’s capability to harvest credentials, collect data, and perform reconnaissance on victim networks.
GoRed’s C2 servers, including domains like leo.rpm-bin.link and sula.rpm-bin.link, facilitate encrypted communication using RPC protocols with custom CBOR serialization and AES-256-GCM encryption. The backdoor maintains persistence by creating specific environment variables and continuously running background commands. The modular structure of GoRed allows it to adapt and evolve, adding new features for improved data collection and stealth operations.
ExCobalt’s strategy of using GoRed, a Go-based backdoor, marks a significant development in their cyber-espionage tactics. The use of DNS and ICMP tunneling helps them establish secure and concealed communication channels, making it challenging for security teams to detect and mitigate their presence. The continued enhancement of GoRed indicates that ExCobalt is actively investing in refining their tactics, techniques, and procedures (TTPs) to stay ahead of defensive measures.
Comparing this recent discovery with prior information, it becomes evident that ExCobalt has been consistently upgrading its toolset to exploit new vulnerabilities and avoid detection. The use of advanced tunneling techniques like DNS and ICMP reflects a broader trend among cyber adversaries to leverage less monitored and often overlooked protocols for their malicious activities. The identification of GoRed showcases the need for continuous vigilance and adaptation in cybersecurity practices to counter such sophisticated threats effectively.
Historically, ExCobalt, and its predecessor Cobalt, have been known for their targeted attacks on financial institutions and other high-value targets. The transition from earlier tools to GoRed demonstrates a strategic shift towards more covert and resilient methods of operation. This evolution underscores the importance of proactive threat hunting and advanced security measures to detect and neutralize emerging threats before they can cause significant damage.
Cybersecurity professionals must prioritize monitoring and securing less conventional communication protocols like DNS and ICMP. Implementing robust detection mechanisms, conducting regular threat assessments, and staying updated with the latest threat intelligence are crucial steps in mitigating the risks posed by advanced threat actors like ExCobalt. Understanding the behaviors and techniques used by such groups can help in developing more effective defensive strategies to protect critical assets and infrastructure.
