Cyber Espionage Targeting Russian Organizations: ExCobalt and GoRed Backdoor

Russian organizations have found themselves in the crosshairs of a cybercrime gang known as ExCobalt, wielding a newly discovered Golang-based backdoor named GoRed. The experts at Positive Technologies, Vladislav Lunin and Alexander Badayev, shed light on this menacing threat in a recent technical report.

Initially known for targeting financial institutions to pilfer funds, ExCobalt’s roots trace back to the infamous Cobalt Gang, with a shift in tactics evident from the adoption of the CobInt tool in 2022. Over the past year, the threat actors have honed in on sectors like government, IT, metallurgy, mining, and telecommunications in Russia, showcasing a broad spectrum of targets.

The group’s sophisticated modus operandi involves exploiting previously compromised contractors and supply chain attacks, injecting malicious components into legitimate software during the build process. This level of sophistication is further magnified by their use of tools like Metasploit, Mimikatz, and Spark RAT for command execution, as well as leveraging Linux privilege escalation exploits.

GoRed, the potent backdoor at the core of ExCobalt’s arsenal, offers a comprehensive suite of functionalities allowing for remote command execution, credential theft, and data harvesting. Through the adept manipulation of the Remote Procedure Call protocol, the threat actors communicate with their command-and-control server seamlessly.

As ExCobalt continues to evolve and expand its toolkit, the researchers warn of its relentless pursuit of Russian entities, showcasing a knack for adapting to evolving security measures. The group’s dexterity in incorporating modified standard utilities underscores their determination to breach defenses and underscore the need for robust cybersecurity measures in the face of escalating cyber threats.