close
close

The ExCobalt Cybercrime group attacks Russian organizations from many sectors

Posted on by darion

The ExCobalt Cybercrime group attacks Russian organizations from many sectors

Pierluigi Paganini
June 24, 2024

The ExCobalt cybercriminal group attacked Russian organizations across multiple sectors using a previously unknown backdoor known as GoRed.

Researchers at Positive Technologies reported that a cybercrime gang called ExCobalt targeted Russian organizations across multiple sectors using a previously unknown Golang-based backdoor known as GoRed.

Members of the ExCobalt group have been operating since at least 2016. Scientists believe the group is linked to the notorious Cobalt Gang.

Over the past year, ExCobalt has attacked Russian organizations in the following industries:

  • Metallurgy
  • Telecommunication
  • Mining
  • Information technology
  • Government
  • Software development

A characteristic feature of Cobalt was the use of the CobInt tool – the same tool that ExCobalt started using in 2022.

While investigating a security incident that occurred in March 2024 on a Linux client host, researchers at Positive Technologies discovered a file called “scrond.” The file was compressed using the UPX format, and upon unpacking, experts discovered that it contained package paths indicating that it was likely a proprietary tool called GoRed, associated with Red Team.

Backdoor GoRed supports several noteworthy features. It allows operators to connect and execute commands, similar to other command and control (C2) platforms such as Cobalt Strike or Sliver. Communication between GoRed and the C2 server is based on the RPC protocol. To ensure secure communication, operators use DNS/ICMP tunneling, WSS and QUIC protocols.

GoRed is able to obtain credentials from compromised systems and collect various types of system information, including active processes, hostnames, network interfaces, and file system structures. The backdoor supports several commands to recognize the target’s network. The backdoor serializes, encrypts, archives and sends the collected data to a designated server that stores the compromised data.

ExCobalt gained initial access to target entities using a previously compromised contractor. ExCobalt launched a supply chain attack by infecting a component used to create the target company’s legitimate software

ExCobalt used Spark RAT to execute commands and multiple tools as part of the attack chain, including Mimikatz, ProcDump, SMBExec, Metasploit and rsocx.

The group exploited the following privilege escalation vulnerabilities: CVE-2022-2586, CVE-2021-3156, CVE-2021-4034, CVE-2019-13272, CVE-2022-27228, CVE-2021-44228, CVE-2021- 40438 , CVE-2023-3519, BDU:2023-05857 and CVE-2019-12725.

“ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, continually adding new tools to its arsenal and refining its techniques. It not only develops new attack methods, but also actively improves existing tools such as GoRed back door.” summarizes the report.

“ExCobalt is clearly moving towards more sophisticated and productive methods of hacking and cyber espionage, watch this happen GoRed gains new possibilities and functions. These include enhanced victim data collection functionality and increased confidentiality both within the infected system and when communicating with C2 servers.”

Pierluigi Paganini

Follow me on Twitter: @security AND Facebook and Mastodon

(Security matters hacking, newsletter)