A newly discovered Golang Remote access trojan (RAT) named Gobrat is specifically targeting Linux routers in Japan.

According to a report by the JPCERT Coordination Center (JPCERT/CC), the attacker initially focuses on routers with publicly accessible WEBUI and exploits vulnerabilities to execute scripts, ultimately infecting them with GobRAT.

To avoid detection, the malware disguises itself as the Apache daemon process (apached) once launched, following the deployment of a loader script after compromising an internet-exposed router.

In addition to its functionalities, the loader employed in the GobRAT attack possesses capabilities such as disabling firewalls, establishing persistence through the cron job scheduler, and registering an SSH public key in the .ssh/authorized_keys file to enable remote access.

On the other hand, GobRAT itself utilizes the Transport Layer Security (TLS) protocol to communicate with a remote server, receiving a set of up to 22 encrypted commands for execution.

Among the most common commands utilized by GobRAT, the following operations are notable:

• Gathering machine information
• Executing a reverse shell
• Reading and writing files
• Configuring new command-and-control (C2) settings and protocols
• Initiating a SOCKS5 proxy
• Executing a file in the /zone/frpc directory
• Attempting to log in to services like sshd, Telnet, Redis, MySQL, and PostgreSQL running on other machines.

The recent discovery follows a previous revelation by Lumen Black Lotus Labs, made approximately three months ago, exposing the exploitation of enterprise-grade routers in Latin America, Europe, and North America. The malicious software responsible for the surveillance activities was identified as HiatusRAT.