GobRAT trojan targets Japanese network infrastructures

Analysis

GobRAT is an advanced remote access trojan (RAT) that targets Linux routers in Japan especially. It takes use of holes in routers with publicly available web interfaces to run scripts and infect the targets. GobRAT impersonates the Apache daemon process (apached) in order to evade detection.

Once a router has been infiltrated, a loader script is put in place to act as a delivery mechanism for GobRAT. Firewalls may be turned off, persistence can be established using the cron job scheduler, and SSH public keys can be registered in the.ssh/authorized_keys file to allow remote access. 

GobRAT uses the Transport Layer Security (TLS) protocol to connect to a remote server, guaranteeing secure connections. For execution, it receives encrypted commands and performs a variety of functions. Among them are finding out about the machine, running a reverse shell, reading and writing files, setting up new command-and-control (C2) infrastructure and protocols, starting a SOCKS5 proxy, running files in particular directories, and trying to log into services like sshd, Telnet, Redis, MySQL, and PostgreSQL on different machines.

GobRAT's discovery comes after the disclosure of other router-targeting RATs like HiatusRAT, demonstrating a persistent threat environment. It is essential to improve router security, update firmware often to fix flaws, and use powerful security mechanisms to quickly identify and stop such threats in order to reduce these dangers.

Prevention

• Regularly update the router's firmware: Install the most recent patches and updates offered by the manufacturer to keep the firmware on your router up to date. These updates frequently come with security upgrades that might aid in preventing known vulnerabilities.
• Change login information: Immediately alter the router's management interface's default username and password. Choose secure passwords that are difficult to guess. This stops attackers from using default credentials to gain unauthorised access.
• Deactivate remote management if not needed: If you don't need your router to be able to be managed remotely, deactivate this option. Disabling remote management lowers the attack surface and lowers the danger of unauthorised access since it gives attackers another entry point.
• Limit who may access the web interface of the router: Set up your router so that only trusted IP addresses or networks are permitted access to the web interface. This stops others from using the router's administration interface for malicious purposes.
• Set up firewall rules to deny connections from unauthorised sources: Create rules that disallow incoming and outgoing connections to dubious or prohibited locations using the firewall features of your router. As a result, RATs like GobRAT are less likely to establish command-and-control connections with distant servers.
• IDS/IPS should be used to detect threats: On your network, install an intrusion detection system (IDS) or intrusion prevention system (IPS). These tools provide another line of defence by being able to identify and stop malicious network activity brought on by RATs and other threats.  
• By splitting your network into distinct zones, implement network segmentation to protect crucial systems from potentially hacked devices. This limits lateral mobility within the network and lessens the impact of infection.
• Inform users on good cybersecurity practises on a regular basis, such as staying away from dubious downloads, emails, and URLs. Accidental RAT payload execution must be avoided at all costs, hence awareness and caution are essential.
• Utilise technologies to track network traffic in order to spot anomalous behaviour and RAT infection symptoms. Keep an eye on the traffic patterns and be alert for any potential dangers.
• On all network-connected devices, including routers, install the most recent versions of antivirus and anti-malware software. Run routine scans to get rid of possible risks and improve defences against RATs and other harmful malware.

Detection

• Network traffic analysis involves keeping an eye out for unusual patterns or links to well-known bad IP addresses or domains. Look for strange traffic patterns and irregularities in communication protocols.
• Implement IDS/IPS systems that can identify and provide alerts for known RAT signatures or behaviour patterns. Intrusion Detection/Prevention Systems (IDS/IPS). These tools can aid in spotting any RAT activity through real-time network traffic analysis.
• Use complete endpoint security software with antivirus, anti-malware, and behavioural analysis features for endpoint security solutions. These tools can identify and suppress RAT-related activity on certain devices.
• Use anomaly detection techniques to find out-of-the-ordinary behaviour or deviations from typical system activity. This might involve keeping an eye out for strange process execution, unforeseen network connections, or strange resource use.
• File and Memory Analysis: Run routine file and memory scans on systems to look for any inserted malware, questionable processes, or other indicators of RATs like GobRAT. For these scans, use reliable security software.
• System Log Analysis: Keep an eye out for any signs of RAT activity in the system logs, such as unauthorised login attempts, odd system occurrences, or suspicious file access. Log analysis can give important information about suspected RAT infections.
• Behaviour analysis: Keep an eye out for any odd behaviour on the network or in specific devices, such abrupt increases in network traffic, odd process activity, or unauthorised system file alterations. These irregularities can point to the existence of a RAT.

References

https://thehackernews.com/2023/05/new-gobrat-remote-access-trojan.html