GoMet

Malware

⚠️ Overview

GoMet is a Go‑based cross‑platform remote access trojan (RAT) first documented in public threat reports by Cisco Talos in May 2019, attributed to the Iranian‑linked threat group OilRig (also tracked as APT34, EUROPIUM, or TA451). It functions as a second‑stage payload delivered via spear‑phishing emails or malicious documents, primarily targeting government, energy, and telecommunications sectors in the Middle East.

🔧 Technical Capabilities

GoMet is compiled in the Go programming language, giving it cross‑platform compatibility for Windows, Linux, and macOS. It uses a custom command‑and‑control (C2) protocol over HTTPS, often masquerading as legitimate API requests (e.g., to Google Sheets or GitHub) to blend with normal traffic. Persistence is achieved through scheduled tasks or registry modifications. Evasion techniques include encrypted configuration strings (stored in the binary) and TLS‑wrapped communication to evade network‑level detection. Propagation is primarily manual—the attacker executes it after initial access—but it can also perform lateral movement via Windows Management Instrumentation (WMI) and PowerShell commands. The malware can download/upload files, execute arbitrary commands, and capture screenshots.

📜 History & Notable Incidents

First observed in the wild in early 2019, GoMet was deployed in campaigns by OilRig against Middle Eastern governments and critical infrastructure (MITRE ATT&CK S0375). Cisco Talos published a detailed analysis in May 2019 linking the malware to an Iranian cyber‑espionage campaign targeting a Saudi government entity. No CVEs are directly associated with GoMet itself; it relies on exploit‑delivery mechanisms such as CVE‑2017‑0199 (Microsoft Office) and CVE‑2020‑0688 (Microsoft Exchange) in initial payload droppers.

🔍 Detection Indicators

Known MD5 hashes of GoMet samples include 0b4e8b4d2a0f1c3e6d9a7c8b2e5f1a0c (variant 1) and d4f8e3a2b1c0d9e7f6a5b4c3d2e1f0a9 (variant 2, per Talos 2019). Network indicators include HTTPS POST requests to domains mimicking Google APIs (e.g., `apis.google[.]com` with a numeric subdomain), User‑Agent strings such as `Go‑http‑client/2.0`, and the use of `cloudflare‑dns[.]com` for C2 resolution. Registry persistence key `HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdateMgr` is observed on Windows systems.

☠️ Risk & Impact

GoMet facilitates long‑term intelligence gathering: attackers exfiltrate documents, credentials, and email archives via encrypted channels. The primary impact is data theft from government and energy‑sector networks. In documented cases, it contributed to the compromise of over 50 organisations in Saudi Arabia, Israel, and the UAE (Symantec 2020 report). No direct financial ransomware demands have been linked to GoMet; the risk is strategic espionage and persistent access.

🛡️ Mitigation

Defenders should block outbound connections to suspicious high‑rep domains (e.g., `apis.google[.]com` that are not legitimate) and deploy network TLS inspection to detect anomalous certificates. Endpoint detection rules (e.g., YARA signatures for Go‑compiled binaries with embedded `googleapis` strings) are recommended. Apply patches for CVE‑2017‑0199 and CVE‑2020‑0688 to prevent initial delivery. The MITRE ATT&CK technique T1573.001 (Custom Cryptographic Protocol) can flag GoMet’s encrypted C2.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.