The Positive Technologies Expert Security Center (PT ESC) has spotted a previously unknown backdoor written in Go. It is used by ExCobalt, an APT group targeting Russian companies.
"During an incident investigation in March 2024, we discovered a file named scrond, compressed with the UPX packer (Ultimate Packer for eXecutables), on a Linux host of our customer," said Denis Kuvshinov, Head of Threat Analysis at the Positive Technologies Expert Security Center. "The unpacked code sample written in Go contained packet paths with the substring red.team/go-red/. This led us to conclude that the sample might be a proprietary tool called GoRed. During the analysis of GoRed, we realized that we had previously encountered several versions of this program while responding to incidents at some customers."
Further analysis of the tool allowed the experts to link it to the ExCobalt group, whose attacks were described by PT ESC in November 2024.
ExCobalt is known for its attacks on Russian mining, metal, and telecommunications companies, as well as the public sector. It also engages in cyberespionage and data theft.
PT ESC dubbed the new backdoor GoRed, after the discovered code sample. It has numerous functions, including remote command execution, collection of data from compromised systems, and various methods of communication with command-and-control servers.
According to security researchers at Positive Technologies, ExCobalt continues its attacks against Russian companies, constantly improving its methods and tools, including the GoRed backdoor.The APT group keeps expanding the GoRed functionality to enable more sophisticated and covert attacks along with cyberespionage. ExCobalt members use such modified tools to bypass security controls, demonstrating their flexibility and a deep understanding of corporate vulnerabilities. Overall, the development of ExCobalt highlights the need for enterprises and government agencies to continuously improve their defenses and attack detection techniques to withstand current cyberthreats.
For the full report, visit the PT ESC blog.
