Focus Mode
Threat Research

How a Backdoor for Linux Infiltrated Government Infrastructures

Securonix

Summary:

In Spring 2023, an IT company in Russia discovered a user hash dump from a domain controller, executed using the “impacket-secretsdump” tool. This led to the involvement of the Solar 4RAYS team, which uncovered a unique malware called GoblinRAT, used in stealthy attacks against various organizations over two years. GoblinRAT is designed to conceal its presence and employs various techniques for persistence and communication with command and control servers.

Keypoints:

  • Discovery of user hash dump from a domain controller using “impacket-secretsdump”.
  • Involvement of Solar 4RAYS for investigation due to suspicious activities.
  • Identification of GoblinRAT malware, notable for its stealthy operations over two years.
  • GoblinRAT targets organizations providing services to government entities.
  • Utilizes compromised legitimate websites and DDNS for command and control communication.
  • Employs unique naming conventions for tasks and files on infected hosts to evade detection.
  • Persistence methods include mimicking legitimate services and modifying process names.
  • Utilizes various tools like “shred” for log deletion and “scp” and “curl” for data exfiltration.
  • Stealth techniques include running in memory and using obfuscated libraries.
  • Active monitoring and analysis of the malware’s evolution since 2020.

MITRE Techniques

  • Credential Dumping (T1003): Utilizes “impacket-secretsdump” to obtain user hashes from domain controllers.
  • Command and Control (T1071): Uses compromised legitimate websites and DDNS for maintaining communication.
  • Process Injection (T1055): Modifies process names to mimic legitimate services for stealth.
  • Data Exfiltration (T1041): Employs “scp” and “curl” for exfiltrating data from compromised hosts.
  • Obfuscated Files or Information (T1027): Uses obfuscated libraries and techniques to hide its presence.

IoC:

  • Domain: qfilling.instanthq.com
  • IP Address: 37.120.247.182
  • Hash:
    • MD5: 3f9b1b506dfab7a5cc32004a45ed780d
    • SHA1: 2167f0a1b7f8a3358c416d59124333ce70c2a137
    • SHA256: b074749f160453053989277e2eee3d1f31d618c0813f6379415a4727ed856806

Full Research: https://rt-solar.ru/solar-4rays/blog/4861/

Tags: DISCOVERY, EXFILTRATION, BACKDOOR, RUSSIA, TOOL, PERSISTENCE, GOVERNMENT, CREDENTIAL