Hackers often abuse DNS and ICMP tunneling to transmit data and bypass network security measures covertly.
All these protocols, which are often enabled by poorly protected firewalls, can be manipulated to create hidden communication routes for transferring sensitive data out or creating entry points for unauthorized users.
This evasion technique enables threat actors to maintain persistence and avoid detection within compromised networks.
Positive Technologies researchers recently discovered that ExCobalt’s new tool, GoRed, uses DNS and ICMP tunneling for C2 server communication.
GoRed Using DNS & ICMP Tunneling
ExCobalt, a group of cyber criminals likely to be an extension of Cobalt, notoriously known for attacks on financial institutions, has been using a newly discovered Go backdoor.
The PT ESC CSIRT team came across this while responding to an incident in one of their customers’ organizations.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
ExCobalt is a cyber espionage group that has, at least since 2016, probably coming from the Cobalt gang.
However, ExCobalt adopted the tool CobInt, which will be synonymous with Cobalt by 2022.
PT ESC reported several attacks and investigated other incidents connected to ExCobalt against Russian entities in different industries in the previous year.
Here below we have mentioned all the key features of the GoRed backdoor:-
- C2 framework for executing commands
- RPC protocol for C2 communication
- DNS/ICMP tunneling, WSS, and QUIC for communication
- Credential harvesting from compromised systems
- Data collection
- Reconnaissance capabilities on victim networks
- Data serialization, encryption, archiving, and exfiltration to a dedicated server
An incident on a Linux host of a client in March 2024 was being investigated, which resulted in the identification of a Go-based tool known as GoRed compressed in a UPX file called scrond that could be associated with 2019’s “Red Team” site.
However, there were cases where multiple variants of this backdoor were encountered during previous client incident responses, such as in July 2023 and October 2023, when it was found together with other tools like Mimikatz, ProcDump, SMBExec, Metasploit, and Rock.
GoRed’s C2 servers included leo.rpm-bin.link, sula.rpm-bin.link, lib.rest and rosm.pro while ExCobalt used domains like lib.rpm-bin.link, get.rpm-bin.link, and leo.rpm-bin.link.
This is a control flow that depends on CLI, and it first initializes commands then transfers control to the latter.
Firstly, the service command for gain persistence is initialized, giving us system persistence.
To maintain its presence, it creates environment variables that begin with “BB.” Also, the control flow switches to the gecko command which acts as an entry point in beacon mode.
Depending on the protocol option, it fetches C2 from the transport configuration and initiates beacon activity. To identify victims, this malware generates an ID by hashing computer information.
After initializing and connecting with C2, the RPC protocol is used to register for beacon functionality.
Runs birdwatch to monitor the file system, sets the heartbeat period, monitors, and initializes available commands to enter heartbeat mode.
The C2 communication employs RPC using custom CBOR serialization with AES-256-GCM encryption.
The configuration includes built-in (Base64 encoded, msgpack serialized) and transport blocks. DNS tunneling uses Base64 or Base32, and the background commands run continuously.
ExCobalt continues enhancing GoRed with new features for data collection, secrecy, and leveraging vulnerabilities.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free