Researchers from Cisco Talos discovered an uncommon piece of malware that was employed in an attack against a large Ukrainian software development company.
The software development company produces software that is used by various state organizations in Ukraine.
Researchers believe that the attackers could be linked to Russia and targeted the firm in an attempt to conduct a supply chain attack. At this time it is not clear if the attack was successful. The analysis of the malicious code revealed that it is a slightly modified version of the “GoMet” open-source backdoor.
Talos researchers pointed out that there are only two documented cases of usage of this backdoor by advanced threat actors. The first one took place in 2020, threat actors were dropping this backdoor after the compromise of a network by exploiting the CVE-2020-5902 vulnerability in F5 BIG-IP. The second time the backdoor was involved took place recently, the attackers deployed the malware after successful exploitation of the CVE-2022-1040 vulnerability in Sophos Firewall.
The original GoMet was published on GitHub on March 31, 2019, it had commits until April 2, 2019, but the author has not added any features since its first appearance.
“The backdoor itself is a rather simple piece of software written in the Go programming language. It contains nearly all the usual functions an attacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS) or architectures (amd64, arm, etc.). GoMet supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell.” reads the analysis published by Talos. “An additional notable feature of GoMet lies in its ability to daisy chain — whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers — connections from one implanted host to another. Such a feature could allow for communication out to the internet from otherwise completely “isolated” hosts.”
The researchers noticed that the version employed in the attack was changed by the attackers, in particular, the cronjob was configured to run every two seconds instead of every hour. The change prevents an hour-long sleep if the connection fails.
Another change is related to the action that the malware does in case C2 is unreachable, it will sleep for a random amount of time between five and 10 minutes.
Talos researchers found two samples of this backdoor that have minor differences, but that likely use the same source code.
“The malicious activity we detected included a fake Windows update scheduled tasks created by the GoMet dropper. Additionally, the malware used a somewhat novel approach to persistence. It enumerated the autorun values and, instead of creating a new one, replaced one of the existing goodware autorun executables with the malware. This potentially could avoid detection or hinder forensic analysis.” continues the report.
The samples detected by Talos have the IP address of the C2 hardcoded (111.90.139[.]122) and contact it via HTTPS on the default port.
The server uses a self-signed certificate that was issued on April 4, 2021.
“In this instance, we saw a software company targeted with a backdoor designed for additional persistent access. We also observed the threat actor take active steps to prevent detection of their tooling by obfuscating samples and utilizing novel persistence techniques. This access could be leveraged in a variety of ways, including deeper access or launching additional attacks, including the potential for software supply chain compromise.” concludes the report. “It’s a reminder that although the cyber activities haven’t necessarily risen to the level many have expected, Ukraine is still facing a well-funded, determined adversary that can inflict damage in a variety of ways — this is just the latest example of those attempts.”
(SecurityAffairs – hacking, Ukraine)