In today’s evolving digital world, cybersecurity threats are continually emerging, putting our digital infrastructure at risk. One such threat making headlines is a new Remote Access Trojan (RAT) known as GobRAT. This malicious software has been specifically targeting Linux routers in Japan, underlining the global nature of cybersecurity threats and the increasing sophistication of those launching them.

The Mechanics of GobRAT

To fully understand the severity of the threat posed by GobRAT, it’s crucial to delve into its mechanics. The attacker begins by targeting a router with a public-facing Web User Interface (WEBUI). They then execute scripts, possibly exploiting vulnerabilities, which subsequently infect the system with GobRAT.

Following the compromise of an internet-exposed router, the attacker deploys a loader script. This script serves as a pipeline for delivering GobRAT to the target system. Once launched, GobRAT masquerades as the Apache daemon process (apached) to evade detection. This subterfuge allows the malware to operate undetected, making it significantly more challenging for security measures to identify and neutralize the threat.

Moreover, the loader is equipped with capabilities that further enhance its destructive potential. These include disabling firewalls, establishing persistence using the cron job scheduler, and registering an SSH public key in the .ssh/authorized_keys file to enable remote access. These features give the attacker extensive control over the compromised system, underscoring the potential damage that GobRAT can inflict.

The Command Structure

GobRAT communicates with a remote server using the Transport Layer Security (TLS) protocol to receive as many as 22 different encrypted commands for execution. This secure communication channel makes it harder for cybersecurity measures to intercept the commands sent by the attackers and prevent the execution of malicious activities.

The major commands that GobRAT can execute include:

  1. Obtain machine information: This allows the attacker to gain detailed knowledge about the compromised system, further enabling them to tailor their subsequent actions to the specifics of the target environment.
  2. Execute reverse shell: A reverse shell grants the attacker remote command-line access to the compromised system, essentially providing them with the same level of control over the system as a local user.
  3. Read/write files: This capability can be used for a variety of purposes, ranging from data theft to the alteration or deletion of critical system files, potentially causing significant disruption or damage.
  4. Configure new command-and-control (C2) and protocol: This allows the attacker to modify the communication channel between the compromised system and the C2 server, making it more difficult for defenders to disrupt this communication and neutralize the threat.
  5. Start SOCKS5 proxy: This enables the attacker to route their network traffic through the compromised system, which can serve to conceal their real IP address and further complicate the task of identifying and stopping them.
  6. Execute file in /zone/frpc: This might be used to run additional malicious scripts or programs on the compromised system.
  7. Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine: This demonstrates the ability of GobRAT to leverage the compromised system to attack additional systems, potentially leading to a widespread infection within a network.

The Bigger Picture

The emergence of GobRAT is part of a larger trend of increasingly sophisticated malware targeting routers. Business-grade routers have been compromised to spy on victims in Latin America, Europe, and North America by a malware known as HiatusRAT. This escalating pattern of attacks on network infrastructure highlights the critical need for organizations and individuals to prioritize the security of their network devices, particularly routers that serve as a gatewayto their networks.

Another noteworthy point is the use of the Golang programming language in the development of GobRAT. The combination of Golang’s simplicity, efficiency, and ability to compile to a single binary file for multiple platforms makes it an attractive choice for cybercriminals.


The rise of GobRAT underscores the increasing sophistication of cyber threats and the importance of robust and proactive cybersecurity measures. It serves as a timely reminder for businesses and individuals to review and strengthen the security of their routers and other network devices.

In a world where our reliance on digital infrastructure continues to grow, threats like GobRAT represent a significant risk. As such, maintaining up-to-date security practices, including regular patching, use of strong, unique passwords, enabling firewalls, and disabling unnecessary services, can go a long way in safeguarding against such threats. Furthermore, continuous monitoring of network traffic and keeping an eye out for any irregularities can aid in early detection and mitigation of such threats.

Our defense against threats like GobRAT lies in our vigilance and readiness. By staying informed about the evolving cyber threat landscape and being proactive in maintaining and updating our cybersecurity measures, we can make strides in protecting our digital world.

Source: https://thehackernews.com/2023/05/new-gobrat-remote-access-trojan.html

Leave a Reply

Your email address will not be published. Required fields are marked *