ExCobalt: GoRed, the hidden-tunnel technique

Introduction

While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.

ExCobalt focuses on cyberespionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt gang. Cobalt attacked financial institutions to steal funds. One of Cobalt’s hallmarks was the use of the CobInt tool, something ExCobalt began to use in 2022.

Over the past year, the PT ESC has recorded attacks linked to ExCobalt and investigated related incidents at Russian organizations in the following sectors:

  • Metallurgy
  • Telecommunications
  • Mining
  • Information technology
  • Government
  • Software development

This article discusses ExCobalt’s new tool, GoRed, how it evolved, and some of the tactics, techniques, and procedures that the group has used in its attacks.

The investigation begins

While investigating an incident recorded in March 2024 on one of our client’s Linux hosts, we discovered a file named scrond, compressed with UPX (Ultimate Packer for eXecutables).

The data in an unpacked sample, written in Go, included package paths containing the substring “red.team/go-red/”. This suggests that the sample is a proprietary tool named GoRed, allegedly by a certain Red Team.

Looking into the site, we were unable to find any meaningful connections or malicious activity. The site resembles a typical online business card, no longer actively used by its creators. All the information dates back to 2019, and the design is typical of many similar sites.

The red.team website
Figure 1. The red.team website

As for the GoRed backdoor, the following key features can be identified:

  • Operators can connect to the backdoor and execute commands, similar to other C2 frameworks like Cobalt Strike or Sliver.
  • GoRed uses the RPC protocol to communicate with its C2 server.
  • Operators use DNS/ICMP tunneling, WSS, and QUIC to communicate with GoRed.
  • GoRed can obtain credentials from compromised systems.
  • It collects various types of information from compromised systems: details of active processes, host names, lists of network interfaces, file system structures, and so on.
  • Operators use a variety of commands to conduct reconnaissance on the victim’s network.
  • GoRed serializes, encrypts, archives, and sends data it collects to a special server dedicated to storing compromised data.

For a complete technical description of GoRed, see the further section “GoRed analysis”.

First version of GoRed and other malicious tools we found

As we analyzed GoRed, we found that we had already come across several versions of the backdoor while responding to incidents at several of our clients earlier. For example, in July 2023, as we were investigating an incident at a certain company, we discovered several different tools inside the attackers’ directories due to an error they had made, one of tools being the original version of GoRed.

Similarly, in an October 2023 incident, we found further tools inside public directories on the attackers’ network. A short name and description of each tool we found during the investigations are presented in the table below.

2586 CVE-2022-2586: a Linux kernel vulnerability associated with pointer abuse in the io_uring function. This was used by the threat actor to escalate privileges and execute arbitrary code in the vulnerable system
3156.zip CVE-2021-3156: a sudo vulnerability known as Baron Samedit. This allows a local user to execute arbitrary code with root privileges, bypassing standard security controls
4034 Pwnkit is a local privilege escalation exploit for CVE-2021-4034. This is a vulnerability in the pkexec utility. It allows local users to escalate their privileges to root, which can lead to complete compromise of the system
traceme Local privilege escalation exploit for CVE-2019-13272. This is a vulnerability in the Linux kernel, in the ptrace component. It allows users with CAP_SYS_PTRACE privileges to escalate their privileges to root to execute arbitrary code in the system
bitrix.zip This is an archive with vote_agent.php and html_editor_action.php files, containing RCE exploits for Bitrix. It was distributed via Telegram channels in June 2022, and also mentioned in connection with the May 2023 mass defacement of Russian websites (https://habr.com/ru/companies/ruvds/articles/739898/)
col First version of the GoRed backdoor: 0.0.1
fs fscan (https://github.com/shadow1ng/fscan/)
get_wp-commentin.txt Obfuscated PHP file
run FreeBSD file. Runs the specified executable file as root, same as the command sudo exec specified file>
set FreeBSD file. Sets root as file owner and grants rwx (read, write, execute) permissions to it, same as the commands chown file> 0; chmof file> 777
install Installs a malicious module for Apache 2.4
install[drop] Contains a dropper with a UPX-compressed binary file that is written to /usr/local/games/w. The file’s privileges are then changed: chown root:root; chmod 4755
install[drop][upx] /usr/local/games/w Tries to run the following command as root:
(setuid(0); setgid(0); /bin/sh -c…))
k Contains the following set of basic network utilities and replaces the process name with [kthr]:
curl Stripped down version of curl
socksd Proxy (socks4/5 with user+pass support)
shell Bind shell
host Resolves a host’s name via the 8.8.8.8 DNS server
hash MD5/SHA-1/SHA-256
gz Inflate/deflate functionality
netcat
kit Shell script to install kitsune. The MEGATSUNE variable was used instead of KITSUNE. amd64.rpm-bin.link and pkg.dpkg-source.info were used as the C2s
lock.zip Part of the locker wiper ransomware repository with a read.me file in Russian inside
locker Locker from lock.zip without the configuration files
m Mettle (https://github.com/rapid7/mettle)
rev Bind shell, shares code with shell from k, renames process to [kr]
sf Binary for BSD
spark Spark RAT
w.txt PHP web shell: WSO
(https://github.com/ndbrain/WSO)
wef Variant of reverse SSH client (https://github.com/NHAS/reverse_ssh)
y.txt PHP shell: p0wny-shell
knife/k We found this file several months after the above-mentioned k, also in a public directory but in a different domain. It was also named k, and the functionality is similar, which suggests that this is simply the next version. This is a tool to control a compromised Linux server. It has extensive functionality; commands to execute are specified in the command line:
sync No handler. Causes segfault if run
curl url> Loads content from specified URL
socksd Starts a SOCKS server
netcat No handler. Causes segfault if run
host host> Tries to resolve the host’s name via the 8.8.8.8:53 DNS server
hash filename> Calculates the file’s hash (MD5, SHA-1, SHA-256 are available)
gz filename> Compresses the file
shell options> IP address:port> Remote shell. The command can be run with the following possible options: -l (listen to the specified address) or -c (connect to the specified address)

In addition to the tools obtained from the threat actors’ server directories, ExCobalt used the following tools:

  • Mimikatz
  • ProcDump
  • SMBExec
  • Metasploit
  • rsocx

Modified versions of standard utilities

Besides the above tools found in public directories, we came across modified versions of standard Linux utilities in several incidents, something we first saw in November 2023.

The modification of utilities serves two purposes:

1. Modified ps and htop hide an active core process of the gsocket module and related processes in terminal output.

Let’s take ps as an example.

The simple_readproc function was modified.

The original code looks as follows:

Original ps code
Figure 2. Original ps code

The following code was added:

Code added to ps
Figure 3. Code added to ps

The is_target_proc function checks for every process whether its name is equal to any of the hardcoded names of malicious processes:

The check inside is_target_proc
Figure 4. The check inside is_target_proc

If the check returns true, the process will be hidden in the terminal output. Here’s the list of the names of malicious processes hidden this way:

Names of malicious processes
Figure 5. Names of malicious processes

2. Modified ss and netstat hide the active network connection of the core module of gsocket in terminal output.

Let’s take netstat as an example.

The first code modification was made in the main function.

The original code looks as follows:

Original code of the main function of netstat
Figure 6. Original code of the main function of netstat

First, code was added to copy all C2s from the data section to a global structure:

Copying the C2s to a global structure
Figure 7. Copying the C2s to a global structure

Second modification was in the tcp_do_one function, starting here:

Original code of the tcp_do_one function of netstat
Figure 8. Original code of the tcp_do_one function of netstat

Checks for the name of the malicious process and malicious connection were added to the code. If the check returns true, the process with one of the hardcoded names or network connections will be hidden:

Checking for the name of the malicious process and malicious connection
Figure 9. Checking for the name of the malicious process and malicious connection

Relation to ExCobalt

In November 2023, we discussed ExCobalt’s attacks on Russian companies.

In that report, we mentioned the domain lib.rpm-bin.link, where upon directory enumeration we found many of the tools described above—including col, the first version of GoRed.

Also, in a March 2024 incident, we observed infected hosts that contacted the threat actor’s servers: get.rpm-bin.link and leo.rpm-bin.link. Additionally, GoRed used a static_TransportConfig structure with the following C2s:

  • leo.rpm-bin.link
  • sula.rpm-bin.link
  • lib.rest
  • rosm.pro

In May 2023, Bi.Zone researchers released an analysis of attacks by Sneaking Leprechaun, whose tools showed some overlap with the above-mentioned files found inside the public directories.

Furthermore, our colleagues at Rostelecom-Solar in May 2024 released a report on the Shedding Zmiy activity cluster, which also correlated with ExCobalt. Case 7 in this report described the same attack and a GoRed stealer sample with a C2 at pkg.collect.net.in. This sample was designated as Bulldog Backdoor in the report.

GoRed analysis

Before we proceed to analyzing the current version of GoRed, we will provide a retrospective analysis of its evolution.

Versions we found

All the versions we found are shown in the table below.

Version Description
0.0.1
  • Assumed to be the first one.
  • Collects information about the victim.
  • Source obfuscated with garble.
0.0.9
  • Debug build: GoRed activity logging enabled.
  • Built-in configuration expanded.
  • Collects information about the victim.
  • Source obfuscated with garble.
0.0.9
  • Built-in configuration expanded.
  • Collects information about the victim.
  • Source obfuscated with garble.
0.0.13
  • Removed garble obfuscation.
  • Added control flow based on a command line interface.
  • Added reverse shell functionality via the WSS and DNS protocols.
  • Collects only processes.
  • Added a configuration structure absent in previous versions.
0.0.23-10-g4528ef3
  • Added collection of network interfaces.
  • Added beacon mode (gecko command).
  • Added protocols for an operator to connect via DNS, ICMP, QUIC, WSS.
  • Added CBOR codec for RPC support.
  • Added proxy mode.
  • Implemented updating functionality.
  • Added file system monitoring (birdwatch command).
  • Added ICMP tunneling.
0.1.3-4-g68c293d This version is mentioned only in the Solar report; we have not come across it.
0.1.3-62-g4843e53
  • Expanded victim data collection feature (collector command).
  • Added transport configuration.
0.1.4 No changes found from previous version.

This article examines the current version, 0.1.4.

Internal packages

First, we will describe the structure of the internal packages and their purpose to give you an understanding of GoRed functionality. In the backdoor’s data, we have found the following package paths containing the substring “red.team/go-red/”:

Package Purpose
red.team/go-red/config/ Retrieval of the internal and transport configurations
red.team/go-red/bb/ Processing of an operator’s commands
red.team/go-red/birdwatch/ Monitoring of the file system
red.team/go-red/gecko/ Protocol for communication between GoRed and its C2
red.team/go-red/backend/ Connecting to a data exfiltration server
red.team/go-red/collector/ Collecting system information
red.team/go-red/util/ Various auxiliary utilities
red.team/go-red/packer/ Data packing
red.team/go-red/proxy/ Proxy mode operation
red.team/go-red/revshell/ Reverse shell mode operation
red.team/go-red/dns/ DNS tunneling implementation
red.team/go-red/icmptunnel/ ICMP tunneling implementation

Let’s now proceed to analysis proper. Here’s a simplified diagram of the control flow to give you an understanding of how it works.

Diagram of the control flow
Figure 10. Diagram of the control flow

1. Start of execution

The control flow relies on the command line interface (CLI). However, before passing control to the CLI, the backdoor initializes a number of commands, which are described below.

  • service command
  • gecko subcommand
Initializing the command and subcommand
Figure 11. Initializing the command and subcommand

The service command, intended for gaining persistence in the system, is initialized first. The GoRed CLI command structure looks as follows:

    
struct cli_Command { string Name; _slice_string Aliases; string Usage; string UsageText; string Description; string ArgsUsage; string Category; PTR_cli_BashCompleteFunc BashComplete; PTR_cli_BeforeFunc Before; PTR_cli_AfterFunc After; PTR_cli_ActionFunc Action; PTR_cli_OnUsageErrorFunc OnUsageError; _slice__ptr_cli_Command Subcommands; _slice_cli_Flag Flags; cli_FlagCategories flagCategories; bool SkipFlagParsing; bool HideHelp; bool HideHelpCommand; bool Hidden; bool UseShortOptionHandling; string HelpName; _slice_string commandNamePath; string CustomHelpTemplate; cli_CommandCategories categories; bool isRoot; cli_separatorSpec separator; };

In terms of command identification, the most helpful fields in this structure are the following:

  • Name: command name
  • Usage: command description
  • Action: function called when the command is executed
  • Subcommands: subcommands for the current command

Next, the structure of the CLI itself is initialized into the variable app.

Initializing the app structure for the CLI
Figure 12. Initializing the app structure for the CLI

The app structure looks as follows:

    
struct cli_App { string Name; string HelpName; string Usage; string UsageText; string ArgsUsage; string Version; string Description; string DefaultCommand; _slice__ptr_cli_Command Commands; _slice_cli_Flag Flags; bool EnableBashCompletion; bool HideHelp; bool HideHelpCommand; bool HideVersion; cli_CommandCategories categories; cli_FlagCategories flagCategories; PTR_cli_BashCompleteFunc BashComplete; PTR_cli_BeforeFunc Before; PTR_cli_AfterFunc After; PTR_cli_ActionFunc Action; PTR_cli_CommandNotFoundFunc CommandNotFound; PTR_cli_OnUsageErrorFunc OnUsageError; PTR_cli_InvalidFlagAccessFunc InvalidFlagAccessHandler; time_Time Compiled; _slice__ptr_cli_Author Authors; string Copyright; io_Reader Reader; io_Writer Writer; io_Writer ErrWriter; PTR_cli_ExitErrHandlerFunc ExitErrHandler; map_string_interface_ Metadata; PTR_func_map_string_string ExtraInfo; string CustomAppHelpTemplate; string SliceFlagSeparator; bool DisableSliceFlagSeparator; bool UseShortOptionHandling; bool Suggest; bool AllowExtFlags; bool SkipFlagParsing; bool didSetup; cli_separatorSpec separator; _ptr_cli_Command rootCommand; };

Here, too, the most informative fields for identifying commands are as follows:

  • Name: current command name
  • Action: function called
  • Commands: subcommands for the current command

The Commands field for the app structure is also initialized.

Initializing the CLI context structure
Figure 13. Initializing the CLI context structure

Next, the Logging field is retrieved from the embedded_Config structure described in the section below. After this, the control flow moves to the CLI.

Transferring control to the CLI
Figure 14. Transferring control to the CLI

2. Gaining persistence in the system

The first command to be executed is service. It achieves persistence in the system. It can be executed with the following options:

Option Purpose
no-service Simply proceeds to executing CLI commands
uninstall Removes the service
restart Restarts the service

If there are no options from the table above, it gains persistence as a service with the name it received as an argument. To maintain presence in the compromised system, it creates environment variables whose names begin with “BB”, for example:

  • BB_WS
  • BB_QUIC
  • BB_ICMP
  • BB_DNS
  • BB_START_DELAY

3. Initializing beacon mode

The control flow is then transferred to the gecko command. This command is the entry point for GoRed to run in beacon mode.

Execution options for the gecko command
Figure 15. Execution options for the gecko command

It can be executed with the following options:

Option Purpose
wss Use the corresponding protocol for communication between the operator and GoRed
quic
icmp
dns
background Run the command in the background
start-delay Add delay in communications with the C2

Depending on the protocol received as an option, the command fetches the C2 from the transport configuration whose structure is described in the section below. It then begins initializing the beacon functionality.

Initializing the beacon functionality
Figure 16. Initializing the beacon functionality

To identify the victim, the malware first generates an ID, which is an MD5 hash of the computer’s MAC addresses and name, similarly to the case described in our Hellhounds: Operation Lahat article. The resulting hash sum is added to a field in the client structure, which stores all data required for communication with the C2.

Obtaining a victim ID
Figure 17. Obtaining a victim ID

4. Establishing an initial connection

After GoRed is initialized, it needs to connect to its C2. The number of connection attempts is defined in the backoff package.

Setting the number of C2 connection attempts
Figure 18. Setting the number of C2 connection attempts

The execution flow calls the function that registers the beacon functionality, after which the CLI commands are initialized.

Starting beacon functionality
Figure 19. Starting beacon functionality

Registration uses the RPC protocol. Data in the model_Beacon structure is sent to the server, and data in the model_Auth structure is used for authentication with the server.

    
struct model_RegisterBeaconRequest { model_Beacon Beacon; model_Auth Auth; }; struct model_Beacon { string ID; string Hostname; string ClientIPs; _slice_string Tags; string OS; string Username; }; struct model_Auth { string Token; uuid_UUID ClientID; string Transport; };

The fields in these structures have the following purposes:

Field Purpose
Beacon The structure containing victim information
Field Purpose
ID Victim’s ID
Hostname Victim’s hostname
ClientIPs Victim’s IP addresses
Tags Victim’s tag
OS Victim’s operating system
Username Victim’s username
Auth The structure containing authentication data
Field Purpose
Token Authentication token
ClientID Client ID
Transport Protocol being used

After registering, GoRed runs the birdwatch command to monitor the file system.

Running birdwatch in the background
Figure 20. Running birdwatch in the background

The execution flow then sets a GoRed beacon mode heartbeat period (for signaling to C2).

Setting a heartbeat period
Figure 21. Setting a heartbeat period

The execution flow then runs a command to monitor the password file stored in /etc/shadow/.

Running creds-watcher in the background
Figure 22. Running creds-watcher in the background

Finally, the execution flow initializes all available commands and goes into heartbeat mode.

Entering heartbeat mode
Figure 23. Entering heartbeat mode

5. Entering listen and execute mode

At the final stage of initialization, GoRed starts listening for the operator’s commands that it previously initialized. It can execute both system and built-in commands. Commands can be set to run in the background.

Function to set a command to run in the background
Figure 24. Function to set a command to run in the background

6. Communications in beacon mode

GoRed uses the RPC protocol to communicate with its C2 in beacon mode.

RPC functionality
Figure 25. RPC functionality

It registers a custom codec to communicate via RPC.

Custom RPC codec functionality
Figure 26. Custom RPC codec functionality

The registered codec serializes data with CBOR and encrypts with AES-256-GCM (Secret field in embedded_Config) when sending, and does the reverse when receiving.

Function that transforms data for exfiltration
Figure 27. Function that transforms data for exfiltration

Configurations

GoRed contains two configuration blocks: built-in and transport.

Built-in configuration

This is the configuration of GoRed itself. It is encoded in Base64 and serialized with msgpack.

Built-in configuration
Figure 28. Built-in configuration

For versions 0.0.23-10-g4528ef3 through 0.1.4, the structure of the built-in configuration is as follows:

    
struct embedded_Config { string Logging; string Token; uuid_UUID UserID; uuid_UUID ClientID; string ClientKey; string Version; _slice_string Tags; _slice_string Args; string Secret; _ptr_url_URL BackendAddress; _ptr_url_URL ProxyAddress; };

The purposes of the built-in configuration fields are as follows:

Field Purpose
Logging Logging and log format:

  • No logging
  • To a .log file in a temporary directory
  • Directly to the operator’s console
Token Generated JWT for RPC
UserID UUID for the payload field in the JWT (when using RPC)
ClientID Unique identifier for the exfiltrated data of the victim
ClientKey HS256 key needed to generate the JWT when exfiltrating data
Version GoRed version
Tags Victim’s tag
Args GoRed arguments
Secret AES-256-GCM key for encrypting or decrypting the data transmitted or received via RPC
BackendAddress Address of a dedicated server for data exfiltration
ProxyAddress List of proxy addresses for data exfiltration

Configuration structure for versions 0.0.9 through 0.0.13.

    
struct embedded_Config { bool Debug; string Token; uuid_UUID ClientID; string ClientKey; string Version; _slice_string Tags; string Secret; string BasicAuthLogin; string BasicAuthPass; _ptr_url_URL BackendAddress; _ptr_url_URL ProxyAddress; };

The fields in this version of the built-in configuration have the following purposes:

Field Purpose
Debug Logging and log format:

  • No logging
  • To a .log file in a temporary directory
  • Directly to the operator’s console
BasicAuthLogin Login for authentication when using the curl command
BasicAuthPass Password for authentication when using the curl command

Built-in configuration for version 0.0.1.

    
struct embedded_Config { bool Debug; uuid_UUID ClientID; string ClientKey; string Version; _ptr_url_URL BackendAddress; };

Golang script for getting built-in configuration fields:

    
package main import ( "encoding/base64" "fmt" "net/url" "github.com/google/uuid" "github.com/vmihailenco/msgpack/v5" ) type embedded_Config struct { Logging string Token string UserID uuid.UUID ClientID uuid.UUID ClientKey string Version string Tags []string Args []string Secret string BackendAddress* url.URL ProxyAddress* url.URL } const config = `...` func main() { var item map[string]any data, _ : = base64.StdEncoding.DecodeString(config) err : = msgpack.Unmarshal(data, &item) if err != nil{ panic(err) } fmt.Print("Logging: ") fmt.Println(item["Logging"]) fmt.Print("Token: ") fmt.Println(item["Token"]) fmt.Print("UserID: ") fmt.Println(uuid.UUID(item["UserID"].([]byte))) fmt.Print("ClientID: ") fmt.Println(uuid.UUID(item["ClientID"].([]byte))) fmt.Print("ClientKey: ") fmt.Println(item["ClientKey"]) fmt.Print("Version: ") fmt.Println(item["Version"]) fmt.Print("Tags: ") fmt.Println(item["Tags"]) fmt.Print("Args: ") fmt.Println(item["Args"]) fmt.Print("Secret: ") fmt.Println(item["Secret"]) fmt.Print("BackendAddress: ") fmt.Println(string(item["BackendAddress"].([]byte))) fmt.Print("ProxyAddress: ") fmt.Println(item["ProxyAddress"]) }

Python script for getting built-in configuration fields:

    
import msgpack import base64 s = base64.b64decode('...') config = msgpack.unpackb(s, raw = False) print(config)

Transport configuration

The transport configuration looks as follows:

Transport configuration
Figure 29. Transport configuration

It has the following structure:

    
struct static_TransportConfig { static_Transport Revsh; static_Transport RPC; static_Transport Proxy; }; struct static_Transport { _ptr_static_Address WS; _ptr_static_Address QUIC; _ptr_static_Address ICMP; _ptr_static_Address DNS; _ptr_static_Address TCP; }; struct static_Address { string Domain; string BackupIP; signed __int64 Port; string Proto; };

The fields of the static_TransportConfig structure have the following purposes:

Field Purpose
Revsh Reverse shell connection addresses for an operator
RPC Addresses for GoRed beacon mode RPC heartbeats
Proxy Addresses for running GoRed in proxy mode

The fields of the static_Address structure have the following purposes:

Field Purpose
Domain Domain to connect to
BackupIP IP to connect to if the domain cannot be resolved
Port Connection port
Proto Connection protocol

Communication protocols

GoRed has several protocols for communicating with the operator.

Protocol Implementation
ws Implements WebSocket connection
quic Implements QUIC connection
icmp Implements ICMP tunneling
dns Implements DNS tunneling

DNS

DNS tunneling in GoRed can use Base64 or Base32. This option is selected during compilation.

Using Base32 for traffic tunneling
Figure 30. Using Base32 for traffic tunneling

An example of a domain used in an attack is 8E1A4QB4OGA66RPJCHL72DJGCKRMIOR8CDN3EDJBDOOAEQ3FEDQ5UQB4OGA66RP.JCHL6EDJGCKRMIOR8CDN3EDJBDLJG.rosm[.]pro.

Background commands

Background commands run continuously; some of them can be added to the background or removed, depending on the conditions in the table below.

Command Description
birdwatch Watches for new files inside directories. Runs in the background by default.

  • list: subcommand to print a list of paths monitored for new files.
  • unwatch: subcommand to stop monitoring paths for new files.
creds-watcher Watches for passwords. Runs in the background by default.
revsh-host Enables reverse shell mode. Runs in the background upon execution.

  • Sets WebSocket as the communication protocol between the operator and GoRed.
  • Sets QUIC as the communication protocol between the operator and GoRed.
  • Sets ICMP as the communication protocol between the operator and GoRed.
  • Sets DNS as the communication protocol between the operator and GoRed.
rev-proxy Enables reverse proxy mode via SOCKS5. Runs in the background upon execution.
rev-fwd Enables reverse port forwarding mode. Runs in the background upon execution.

Connecting in rev-proxy and rev-fwd mode

Before starting to act as a server, GoRed needs to initialize an embedded X.509 certificate, similarly to the case described in our Hellhounds: Operation Lahat. Part 2 article.

Retrieving the certificate and host information
Figure 31. Retrieving the certificate and host information

The backdoor also needs to collect information about the victim’s host by executing the CollectHostInfo function shown above. This produces the structure presented below, except for the Addr field.

    
struct proto_HostInfo { string Addr; string OS; string Username; string Hostname; _slice_string IPs; };

The fields in the structure have the following purposes:

Field Purpose
Addr Address to connect to, passed to the command as a parameter
OS Victim’s operating system
Username Victim’s username
Hostname Victim’s hostname
IPs Victim’s IP addresses

A structure to identify GoRed as a server is initialized as follows:

Initializing the structure
Figure 32. Initializing the structure

The initialized structure looks as follows:

    
struct proto_BinInfo { uuid_UUID ClientID; string Token; _slice_string Tags; };

The fields in the structure have the following purposes:

Field Purpose
ClientID Identifies the victim
Token Generated JWT for RPC
Tags Victim’s tag

Having received the proto_HostInfo and proto_BinInfo structures, GoRed uses their fields in a handshake message that it sends to the C2 at the address it gets from the transport configuration. The handshake message structure looks as follows:

    
struct proto_MsgGreeting { proto_ConnectionMode Mode; string MachineID; proto_BinInfo BinInfo; _ptr_proto_HostInfo HostInfo; };

The fields in the structure have the following purposes:

Field Purpose
Mode The following modes are supported:

  • 2: rev-proxy mode
  • 3: rev-fwd mode
MachineID Victim’s computer ID
BinInfo Structure containing the GoRed configuration information
HostInfo Structure containing victim information

The handshake sequence used to register GoRed as a server looks as follows:

Communications with the C2
Figure 33. Communications with the C2

In response to the handshake message, the server sends a message with the following structure:

    
struct proto_MsgGreetingResponse { string Greeting; _ptr_proto_BinInfo BinInfo; _ptr_proto_HostInfo HostInfo; };

If the Greeting field contains the string “welcome”, the connection is considered successful, and GoRed starts running in server mode; if not, the connection cannot be established.

Issued commands

The operator uses the following commands to communicate with GoRed:

Command Description
upload Exfiltrates files. Takes a file path as the argument
download Downloads files onto the infected computer. Takes a file path as the argument
bg-list Displays a list of internal background commands
bg-stop Cancels an internal background command. Takes a command ID as an argument. Can be used to stop all background commands
stealth Automatically sets the heartbeat frequency within a larger range for greater stealth.

  • on: subcommand that enables this mode with the time range 0×9D29229E000—0×105EF39B2000
  • off: subcommand that disables this mode with the time range 0×12A05F200—0×45D964B800
emit-period Gets or sets a heartbeat frequency manually
conn-providers Gets the communication protocols available in the current version of GoRed
info Gets victim information:

  • UserID
  • Logging
  • Tags
  • Version
  • Time
collect Collects and exfiltrates system information. See the section below for more details
bb-update Updates GoRed. Sends a GET request to the URL passed as the argument and restarts GoRed with the restart argument
bb-ps Gets the status of the process passed as the argument
bb-cat Reads the file passed as the argument
bb-find Searches for files passed as the argument
bb-ls Displays the contents of the directory passed as the argument
bb-mkdir Creates the directory passed as the argument
bb-pwd Returns the full path of the current directory
bb-rm Deletes the file passed as the argument
bb-wc Collects information about the file passed as the argument:

  • Number of words
  • Number of lines
  • Number of characters
  • Number of bytes
bb-nmap Scans the network. Takes a host IP as the argument
bb-ping Pings an external host. Takes an IP as the argument
bb-wget Gets files via HTTP. Takes two arguments: the source URL and the output filename specified after the —output option
bb-curl Similar to curl, but with limited functionality

collect

Since this command collects system information and data for subsequent exfiltration, we decided to describe it in more detail:

Option Purpose
local-archive Selects a compression algorithm: tar or gzip
skip-trees Skips collecting file system structure information
skip-files Skips collecting files
exec-timeout Sets a time period for collecting files

Collected information

An example of the code used to collect information is shown below.

Example of the code used to collect information
Figure 34. Example of the code used to collect information

A complete list of collected information is provided in the table below.

File Contents
processes.json List of processes
envvars.json List of environment variables
host.json Information about the processor, RAM, installed OS, user name, group name
network_interfaces.json List of network interfaces
netstats.json List of active network connections
*.txt Files that will be collected depending on the values of the fields in the model_CollectionConfig structure
hardware.json Hardware information
trees.json File system structure

Exfiltration

Before the data is sent, it is serialized with msgpack and encrypted with AES-256-GCM (Secret field in embedded_Config).

Example of collected data preparation
Figure 35. Example of collected data preparation

Next, after archiving the data, the backdoor sends it with a POST request to a URL generated by appending “/api/collection-result” to the BackendAddress field in embedded_Config.

Data exfiltration
Figure 36. Data exfiltration

It is also possible to update the model_CollectionConfig structure by sending a GET request to a URL generated by appending “/api/config” to the BackendAddress field in embedded_Config.

Configuration update
Figure 37. Configuration update

The model_CollectionConfig structure is a configuration for the collect command and has the following fields:

    
struct model_CollectionConfig { _slice__slice_string Commands; _slice_string Files; _slice_string TreePaths; };

The fields in the structure have the following purposes:

Field Purpose
Commands bb_files_* command
Files Files
TreePaths Paths

Conclusion

ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques. Not only is it developing new attack methods, but it’s also actively improving its existing tools, such as the GoRed backdoor.

ExCobalt is apparently aiming for more sophisticated and productive methods of hacking and cyberespionage, seeing how GoRed has been acquiring new capabilities and features. These include expanded functionality for collecting victim data and increased secrecy both inside the infected system and in communications with C2 servers.

In addition, ExCobalt demonstrates flexibility and versatility by supplementing its toolset with modified standard utilities, which help the group to easily bypass security controls and adapt to changes in protection methods. The use of modified utilities is a sign that the members of the group have an in-depth understanding of the weaknesses of companies they attack, while leveraging vulnerabilities helps them to pursue sophisticated attacks on their targets.

Overall, the evolution of ExCobalt and its toolset, including GoRed and the modified utilities, highlights the need for organizations and cybersecurity professionals to continuously improve detection and protection techniques to combat this group as well as other similar cyberthreats.

Source: Original Post