<— Back

IoT Malware Riding Pegasus – How to Hunt and Analyze GobRAT

GobRAT is a Golang malware targeting routers and other Linux devices discovered in February 2023, and there are samples for various architectures (x86, x86-64, MIPS, ARM). This presentation will describe the details of GobRAT and introduce an analysis tools for the malware, as well as demonstrating the C2 server hunting method.

First, the attack flow using this malware will be described, based on cases in which we have handled. After that, GobRAT’s internal structure, mode of execution and custom communication protocols, which are obtained by reverse-engineering the malware, are presented. The malware can control communications of the infected router and perform further attacks into the internal network. Attackers have been continuously developing GobRAT, and now it has become a sophisticated RAT containing 32 commands. In this presentation, the commands added and those updated in the new version will be explained with demonstrations.

Next, a GobRAT hunting method is introduced. Most types of GobRAT cannot be hunted by VirusTotal. However, since this type of malware uses the custom protocol for communication with C2 servers, its C2 servers can be discovered by scanning, and then new versions of GobRAT can be obtained from the download server. In this presentation, a method for hunting GobRAT’s C2 servers and a list of C2 servers obtained by the scan will be presented. Finally, a GobRAT string decrypter and a command emulation tool, which the speaker has created to support the analysis of GobRAT, will be presented with a demonstration. After that, the speaker will propose ways to address GobRAT. From this presentation, you will understand how to analyze IoT malware and how to hunt C2 servers to respond to similar malware.