Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

GoRed (BackDoor) – Malware

December 4, 2024
Reading Time: 4 mins read
in Malware
GoRed (BackDoor) – Malware

GoRed

Type of Malware

BackDoor

Targeted Countries

Russia

Date of initial activity

2022

Associated Groups

ExCobalt

Motivation

Cyberwarfare
Espionage

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

GoRed is a sophisticated piece of malware that exemplifies the evolving tactics and techniques used by cybercriminal groups to maintain persistence and evade detection in compromised systems. Uncovered in mid-2024 by the PT ESC CSIRT team during an investigation into a Linux host compromise, GoRed is a backdoor tool written in Go, which has been attributed to the ExCobalt cybercrime gang. This gang is known for its focus on cyberespionage and has been active since at least 2016, with its origins traced back to the notorious Cobalt gang. The Cobalt gang was known for its attacks on financial institutions, and ExCobalt has continued this trend by utilizing advanced tools like GoRed to further its operations. GoRed operates with a range of advanced capabilities designed to maintain control over infected systems and evade detection. At its core, GoRed functions as a command-and-control (C2) framework, allowing operators to issue commands, exfiltrate data, and maintain persistence on compromised systems. It uses various communication protocols such as DNS, ICMP, WSS, and QUIC to connect with its C2 servers, making it resilient against traditional detection methods. Additionally, GoRed integrates techniques like DNS/ICMP tunneling and supports multiple modes of operation, including beacon mode and proxy mode, to enhance its stealth and effectiveness. The malware is also notable for its ability to collect a wide array of information from infected systems, including details on active processes, network interfaces, and file system structures. This capability allows the operators to perform extensive reconnaissance and gain deeper insights into the victim’s environment. Furthermore, GoRed’s ability to modify and disguise standard utilities, such as ps and netstat, demonstrates its advanced evasion techniques. These modifications help GoRed hide its presence by concealing its processes and network connections from standard monitoring tools, thereby complicating detection and analysis efforts.

Targets

Public Administration Mining Information

How they operate

At its core, GoRed utilizes Command and Control (C2) tactics to establish and maintain communication with its command servers. The malware employs a variety of application layer protocols, including DNS, ICMP, WebSocket (WSS), and QUIC. These protocols facilitate covert data exchanges by masking malicious traffic within seemingly benign network activity. For instance, GoRed might use DNS queries to send or receive data, exploiting the widespread use of DNS for legitimate purposes to avoid detection. Persistence is another critical component of GoRed’s operational strategy. The malware ensures its survival on infected systems by employing techniques such as creating or modifying system services. This tactic allows GoRed to configure itself to run automatically at system startup, maintaining a foothold even if the system is rebooted. By integrating itself deeply into system operations, GoRed minimizes the risk of detection and removal. The Collection phase of GoRed’s operation is designed to gather valuable information from the compromised system. The malware collects data from local files and directories, focusing on sensitive information that can be exploited. Techniques such as network sniffing are also employed to monitor and collect data about network traffic, providing GoRed with a comprehensive view of the network environment and potential targets. To evade detection and maintain stealth, GoRed employs several Defense Evasion techniques. The malware may clear or modify Windows event logs to erase traces of its activities, reducing the chances of detection by security monitoring tools. Additionally, GoRed uses obfuscation to hide its malicious code, complicating analysis efforts by cybersecurity professionals. Another technique involves leveraging signed system binaries for executing payloads, thus exploiting trusted system processes to bypass security measures. Execution of its payloads is achieved through various methods, including the use of the Windows Command Shell. By executing commands in a controlled manner, GoRed is able to carry out its objectives without raising immediate suspicion. Finally, in the Exfiltration phase, GoRed uses its established C2 channels to exfiltrate data from the infected system. This data is sent back to the attacker, often disguised within legitimate network traffic to evade detection. The use of encrypted channels and blending with normal network activity further complicates efforts to identify and stop the exfiltration process.

MITRE Tactics and Techniques

Command and Control (C2)
Tactic: Command and Control Techniques: T1071.001 – Application Layer Protocol: GoRed employs various application layer protocols like DNS, ICMP, WSS, and QUIC to establish and maintain communication with its C2 servers. This tactic helps the malware evade detection by blending in with legitimate traffic.
Persistence
Tactic: Persistence Techniques: T1543.003 – Create or Modify System Service: GoRed may create or modify system services to ensure that it runs automatically on system startup. This allows the malware to maintain persistence on the infected system.
Collection
Tactic: Collection Techniques: T1005 – Data from Local System: The malware collects data from local files and directories, including details on active processes and network interfaces. T1040 – Network Sniffing: GoRed can collect information about network traffic, leveraging its stealth capabilities to avoid detection during data collection.
Defense Evasion
Tactic: Defense Evasion Techniques: T1070.001 – Clear Windows Event Logs: GoRed may clear or modify event logs to avoid detection and removal. T1027 – Obfuscated Files or Information: The malware employs obfuscation techniques to hide its true nature and evade analysis. T1218 – Signed Binary Proxy Execution: GoRed may utilize legitimate system binaries in a malicious manner to execute its payload, thereby reducing the likelihood of detection.
Execution
Tactic: Execution Techniques: T1059.003 – Windows Command Shell: GoRed might leverage command shell execution to run its commands and payloads on the compromised system.
Exfiltration
Tactic: Exfiltration Techniques: T1041 – Exfiltration Over Command and Control Channel: The malware uses its C2 channel to exfiltrate data, blending this activity with legitimate traffic to avoid detection.
References:
  • ExCobalt: GoRed, the hidden-tunnel technique
Tags: BackdoorCobalt gangDNSenvironmentExCobaltGoRedICMPLinuxMalwareMiningQUICWebSocketWSS
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Venom Spiders More Eggs Malware Hits Hiring

Hazy Hawk Hijacks Cloud DNS For Web Scams

Fake Kling AI Sites Spread Malware To Users

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    UK Peter Green Chilled Hit By Ransomware

    Cellcom Cyberattack Causes Service Outage

    Ohio Kettering Health Faces Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial