A new remote access trojan (RAT) called GobRAT has been discovered, targeting Linux routers in Japan. The attack begins by exploiting vulnerabilities in routers with publicly accessible WEBUI, allowing the attacker to infect the GobRAT.
A loader script is then deployed, disguising GobRAT as the Apache daemon process to avoid detection and enabling various malicious actions such as disabling firewalls and establishing persistence.
GobRAT communicates with a remote server using Transport Layer Security (TLS) and receives encrypted commands for execution, including obtaining machine information, executing reverse shell, file manipulation, configuring new command-and-control protocols, initiating SOCKS5 proxy, and attempting unauthorized access to services on other machines.
These findings highlight the ongoing threat posed by malware targeting routers, with previous instances of router compromise for spying purposes already observed in Latin America, Europe, and North America using the HiatusRAT malware.
It emphasizes the importance of keeping routers updated with the latest security patches and maintaining strong security measures to protect against such attacks.
