ExCobalt Cybercrime Group Launches Advanced Attacks on Russian Entities

June 24, 2024

Positive Technologies researchers have reported that a cybercrime group known as ExCobalt has been launching attacks on Russian organizations across a range of sectors. The group has been utilizing a previously unknown Golang-based backdoor, dubbed GoRed.

The ExCobalt group, believed to be in operation since at least 2016, is thought to be associated with the infamous Cobalt Gang. The group has been using the CobInt tool, a tool also used by the Cobalt Gang.

A security incident in March 2024 led to the discovery of a file named 'scrond' on a client's Linux host. The file, compressed with UPX, was found to contain package paths that suggest it is likely a proprietary tool known as GoRed, linked to a Red Team.

GoRed is a sophisticated backdoor that allows operators to connect and execute commands, much like other Command and Control (C2) frameworks such as Cobalt Strike or Sliver. The backdoor uses the RPC protocol to communicate with its C2 server, employing DNS/ICMP tunneling, WSS, and QUIC protocols for secure communication.

The GoRed backdoor is capable of extracting credentials from compromised systems and gathering various types of system information. It supports several commands for network reconnaissance and sends the collected data to a designated server.

ExCobalt gained initial access to target entities by exploiting a previously compromised contractor, conducting a supply chain attack by infecting a component used to build the target company's legitimate software.

The group used the Spark RAT to execute commands and a variety of tools as part of the attack chain, including Mimikatz, ProcDump, SMBExec, Metasploit, and rsocx. They exploited several vulnerabilities for privilege escalation, including CVE-2019-12725, CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, CVE-2021-40438, CVE-2021-44228, CVE-2022-2586, CVE-2022-27228, and CVE-2023-3519.

The report concludes, “ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly adding new tools to its arsenal and improving its techniques... ExCobalt is apparently aiming for more sophisticated and productive methods of hacking and cyberespionage, seeing how GoRed has been acquiring new capabilities and features. These include expanded functionality for collecting victim data and increased secrecy both inside the infected system and in communications with C2 servers.”

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.