GoRed (BackDoor) – Malware

Overview

GoRed is a sophisticated piece of malware that exemplifies the evolving tactics and techniques used by cybercriminal groups to maintain persistence and evade detection in compromised systems. Uncovered in mid-2024 by the PT ESC CSIRT team during an investigation into a Linux host compromise, GoRed is a backdoor tool written in Go, which has been attributed to the ExCobalt cybercrime gang. This gang is known for its focus on cyberespionage and has been active since at least 2016, with its origins traced back to the notorious Cobalt gang. The Cobalt gang was known for its attacks on financial institutions, and ExCobalt has continued this trend by utilizing advanced tools like GoRed to further its operations.

GoRed operates with a range of advanced capabilities designed to maintain control over infected systems and evade detection. At its core, GoRed functions as a command-and-control (C2) framework, allowing operators to issue commands, exfiltrate data, and maintain persistence on compromised systems. It uses various communication protocols such as DNS, ICMP, WSS, and QUIC to connect with its C2 servers, making it resilient against traditional detection methods. Additionally, GoRed integrates techniques like DNS/ICMP tunneling and supports multiple modes of operation, including beacon mode and proxy mode, to enhance its stealth and effectiveness.

The malware is also notable for its ability to collect a wide array of information from infected systems, including details on active processes, network interfaces, and file system structures. This capability allows the operators to perform extensive reconnaissance and gain deeper insights into the victim’s environment. Furthermore, GoRed’s ability to modify and disguise standard utilities, such as ps and netstat, demonstrates its advanced evasion techniques. These modifications help GoRed hide its presence by concealing its processes and network connections from standard monitoring tools, thereby complicating detection and analysis efforts.

Targets

Public Administration
Mining
Information

How they operate

At its core, GoRed utilizes Command and Control (C2) tactics to establish and maintain communication with its command servers. The malware employs a variety of application layer protocols, including DNS, ICMP, WebSocket (WSS), and QUIC. These protocols facilitate covert data exchanges by masking malicious traffic within seemingly benign network activity. For instance, GoRed might use DNS queries to send or receive data, exploiting the widespread use of DNS for legitimate purposes to avoid detection.

Persistence is another critical component of GoRed’s operational strategy. The malware ensures its survival on infected systems by employing techniques such as creating or modifying system services. This tactic allows GoRed to configure itself to run automatically at system startup, maintaining a foothold even if the system is rebooted. By integrating itself deeply into system operations, GoRed minimizes the risk of detection and removal.

The Collection phase of GoRed’s operation is designed to gather valuable information from the compromised system. The malware collects data from local files and directories, focusing on sensitive information that can be exploited. Techniques such as network sniffing are also employed to monitor and collect data about network traffic, providing GoRed with a comprehensive view of the network environment and potential targets.

To evade detection and maintain stealth, GoRed employs several Defense Evasion techniques. The malware may clear or modify Windows event logs to erase traces of its activities, reducing the chances of detection by security monitoring tools. Additionally, GoRed uses obfuscation to hide its malicious code, complicating analysis efforts by cybersecurity professionals. Another technique involves leveraging signed system binaries for executing payloads, thus exploiting trusted system processes to bypass security measures.

Execution of its payloads is achieved through various methods, including the use of the Windows Command Shell. By executing commands in a controlled manner, GoRed is able to carry out its objectives without raising immediate suspicion.

Finally, in the Exfiltration phase, GoRed uses its established C2 channels to exfiltrate data from the infected system. This data is sent back to the attacker, often disguised within legitimate network traffic to evade detection. The use of encrypted channels and blending with normal network activity further complicates efforts to identify and stop the exfiltration process.

MITRE Tactics and Techniques

Command and Control (C2)

Tactic: Command and Control
Techniques:
T1071.001 – Application Layer Protocol: GoRed employs various application layer protocols like DNS, ICMP, WSS, and QUIC to establish and maintain communication with its C2 servers. This tactic helps the malware evade detection by blending in with legitimate traffic.

Persistence

Tactic: Persistence
Techniques:
T1543.003 – Create or Modify System Service: GoRed may create or modify system services to ensure that it runs automatically on system startup. This allows the malware to maintain persistence on the infected system.

Collection

Tactic: Collection
Techniques:
T1005 – Data from Local System: The malware collects data from local files and directories, including details on active processes and network interfaces.
T1040 – Network Sniffing: GoRed can collect information about network traffic, leveraging its stealth capabilities to avoid detection during data collection.

Defense Evasion

Tactic: Defense Evasion
Techniques:
T1070.001 – Clear Windows Event Logs: GoRed may clear or modify event logs to avoid detection and removal.
T1027 – Obfuscated Files or Information: The malware employs obfuscation techniques to hide its true nature and evade analysis.
T1218 – Signed Binary Proxy Execution: GoRed may utilize legitimate system binaries in a malicious manner to execute its payload, thereby reducing the likelihood of detection.

Execution

Tactic: Execution
Techniques:
T1059.003 – Windows Command Shell: GoRed might leverage command shell execution to run its commands and payloads on the compromised system.

Exfiltration

Tactic: Exfiltration
Techniques:
T1041 – Exfiltration Over Command and Control Channel: The malware uses its C2 channel to exfiltrate data, blending this activity with legitimate traffic to avoid detection.

References:

• ExCobalt: GoRed, the hidden-tunnel technique