New research has discovered an “uncommon” piece of malware that was used to attack a significant software development business whose software is employed by many governmental bodies in Ukraine. The malware, spotted for the first time on May 19, 2022, is a specialized version of the GoMet open-source backdoor and is intended to keep permanent access to the network.
“This access could be leveraged in a variety of ways including deeper access or to launch additional attacks, including the potential for software supply chain compromise,” Cisco Talos revealed in a report.
The cybersecurity company’s evaluation indicates Russian nation-state action even though there are no specific signs that the attack can be traced to a particular person or organization. Only two known instances of the usage of GoMet in actual attacks have been made public to date. One occurred in 2020, concurrent with the discovery of CVE-2020-5902, a serious remote code execution vulnerability in F5’s BIG-IP networking products. The second incident included an unknown advanced persistent threat (APT) group successfully exploiting CVE-2022-1040, a remote code execution vulnerability in Sophos Firewall, earlier this year.
“We haven’t seen GoMet deployed across the other organizations we’ve been working closely with and monitoring so that implies it is targeted in some manner but could be in use against additional targets we don’t have visibility into,” said Nick Biasini, head of outreach for Cisco Talos. “We have also conducted relatively rigorous historic analysis and see very little use of GoMet historically which further indicates that it is being used in very targeted ways.”
GoMet, as its name suggests, is written in the Go programming language and has features that enable the attacker to hijack the compromised system remotely. These features include the ability to upload and download files, run arbitrary commands, and use the initial foothold to spread to other networks and systems using a technique known as a daisy chain. The implant can also execute cron-based scheduled tasks, which is a noteworthy feature. The updated backdoor used in operation is designed to run every two seconds and check if the malware is linked to a command-and-control server, whereas the original code is set up to perform cron tasks once every hour.
According to Biasini, most of the recent attacks involve access, either directly or through the acquisition of credentials. Another illustration of such is the use of GoMet as a backdoor in this case. Once the access has been established, more extensive operations and reconnaissance can be conducted. It is challenging to foresee the sorts of follow-on attempts since cybersecurity professionals are striving to stop the attacks before they reach this point. The information was discovered at the same time as the U.S. Cyber Command released the indications of compromise (IoCs) for various malware strains that have recently targeted Ukrainian networks, including GrimPlant, GraphSteel, Cobalt Strike Beacon, and MicroBackdoor.
The phishing attacks have subsequently been linked to two espionage actors, UNC1151 (aka Ghostwriter) and UNC2589, by cybersecurity firm Mandiant. UNC2589 is suspected of acting in favor of Russian government interests and has conducted considerable espionage collection in Ukraine. The undefined threat cluster UNC2589 is also suspected of being responsible for the mid-January 2022 WhisperGate (also known as PAYWIPE) data wiper assaults. Microsoft has determined that the same entity, DEV-0586, is linked to Russia’s GRU military intelligence.
