ExCobalt Cybercrime Group Launches Advanced Attacks on Russian Entities

June 24, 2024

Positive Technologies researchers have reported that a cybercrime group known as ExCobalt has been launching attacks on Russian organizations across a range of sectors. The group has been utilizing a previously unknown Golang-based backdoor, dubbed GoRed.

The ExCobalt group, believed to be in operation since at least 2016, is thought to be associated with the infamous Cobalt Gang. The group has been using the CobInt tool, a tool also used by the Cobalt Gang.

A security incident in March 2024 led to the discovery of a file named 'scrond' on a client's Linux host. The file, compressed with UPX, was found to contain package paths that suggest it is likely a proprietary tool known as GoRed, linked to a Red Team.

GoRed is a sophisticated backdoor that allows operators to connect and execute commands, much like other Command and Control (C2) frameworks such as Cobalt Strike or Sliver. The backdoor uses the RPC protocol to communicate with its C2 server, employing DNS/ICMP tunneling, WSS, and QUIC protocols for secure communication.

The GoRed backdoor is capable of extracting credentials from compromised systems and gathering various types of system information. It supports several commands for network reconnaissance and sends the collected data to a designated server.

ExCobalt gained initial access to target entities by exploiting a previously compromised contractor, conducting a supply chain attack by infecting a component used to build the target company's legitimate software.

The group used the Spark RAT to execute commands and a variety of tools as part of the attack chain, including Mimikatz, ProcDump, SMBExec, Metasploit, and rsocx. They exploited several vulnerabilities for privilege escalation, including CVE-2019-12725, CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, CVE-2021-40438, CVE-2021-44228, CVE-2022-2586, CVE-2022-27228, and CVE-2023-3519.

The report concludes, “ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques... ExCobalt is apparently aiming for more sophisticated and productive methods of hacking and cyberespionage, seeing how GoRed has been acquiring new capabilities and features. These include expanded functionality for collecting victim data and increased secrecy both inside the infected system and in communications with C2 servers.”

Related News

• GHOSTENGINE Uses Vulnerable Drivers to Disable EDRs in Sophisticated Cryptojacking Attack
• Crypto Mining Malware Campaign Targets Misconfigured Servers
• FritzFrog Botnet Targets Unpatched Internal Hosts via Log4Shell Exploitation
• Lazarus Group Exploits Log4j Security Flaws to Launch Global Cyberattack Campaign
• CISA Issues Cybersecurity Guidelines for Healthcare and Public Health Entities

Latest News

• Cyber Espionage Campaign RedJuliett Targets 75 Taiwanese Entities
• CosmicSting Vulnerability Threatens Majority of Adobe Commerce and Magento Websites
• Active Exploitation of SolarWinds Serv-U Path-Traversal Vulnerability
• Security Flaw in Phoenix SecureCore UEFI Affecting Multiple Intel CPUs Unveiled
• Chinese Cyber Espionage Campaign Targets Telecom Operators in Asia