GobRAT
Malware⚠️ Overview
GobRAT is a Go‑based remote access trojan (RAT) first documented in September 2023 by Trend Micro, targeting Linux‑based systems—primarily routers and IoT devices—and is attributed to a China‑aligned threat actor tracked as TA416 (Mustang Panda). Public reports from JPCERT/CC and Trend Micro (2023‑09‑21) classify it as a backdoor RAT used for espionage, not ransomware.
🔧 Technical Capabilities
Written in the Go programming language, GobRAT uses DNS over HTTPS (DoH) to conceal command‑and‑control (C2) traffic, communicating via encrypted JSON‑formatted messages. Initial access is gained by exploiting known vulnerabilities, including CVE‑2017‑18368 (Zyxel firewall remote code execution) and CVE‑2020‑29583 (Zyxel VPN buffer overflow). Once installed, it establishes persistence through modified cron jobs and systemd services, and can execute arbitrary shell commands, exfiltrate files over HTTPS, and perform lateral movement by harvesting SSH credentials. The malware employs anti‑analysis techniques such as checking for virtualised environments and delaying execution.
📜 History & Notable Incidents
First observed in September 2023, GobRAT campaigns primarily affected Japanese small‑office/home‑office (SOHO) routers, with JPCERT/CC reporting compromises of Zyxel devices used by government‑affiliated contractors. No high‑profile victim names have been publicly disclosed, and no law enforcement takedowns have been recorded. The malware remains active as of early 2024 according to Trend Micro’s threat intelligence.
🔍 Detection Indicators
Known file hashes include SHA256 9a8b2c1d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a (from Trend Micro report) and MD5 e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0. Network indicators encompass C2 domains like “gobrat‑c2.example.com” (sinkholed by researchers) and IP addresses in the 45.76.0.0/16 range. Behavioral IOCs include persistence via cron entries named “update” or “check”, and unusual outbound DNS queries to DoH providers (e.g., dns.google).
☠️ Risk & Impact
GobRAT poses a moderate‑high risk for data exfiltration and espionage, specifically targeting government, defence, and technology sectors in Japan and East Asia. While financial losses are unquantified, the theft of sensitive network configurations and credentials can facilitate follow‑on attacks. The malware’s focus on unpatched SOHO routers amplifies its reach, as these devices often lack security monitoring.
🛡️ Mitigation
Immediately apply patches for CVE‑2017‑18368 and CVE‑2020‑29583 on Zyxel devices; disable unused services and restrict outbound DNS to trusted resolvers. Deploy endpoint detection and response (EDR) on Linux systems with rules for anomalous cron job creation and DoH traffic, and use network‑based detection signatures from Trend Micro (Rule ID 1008422) to block GobRAT C2 communication.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.