<— Back

Double check your Zabbix agents: The mystery of GoblinRAT

Sometime ago, our team spotted how something in the network of a critical infrastructure organization was deleting system logs. We didn’t find anything suspicious during the initial analysis of the affected machine; however, at som point we spotted a malicious service that looked like a Zabbix agent on a neighboring host. Further investigation revealed that the agent turned out to be a malicious program that we called GoblinRAT.

One of the most interesting things about it is how hard it tries to be invisible to security engineers:

• it has lots of code features aimed at evading detection (self-destruction, processes masquerading, port-knocking, etc.);
• it used hacked websites of legitimate businesses for C2-communications;
• as we’ve been unraveling incidents involving GoblinRAT, we haven’t seen samples of this malware using the same persistence technique twice.

The RAT was used in one of the stealthiest and most mysterious attacks we have ever investigated. We saw it on a very limited number of targets, and nowhere else. We tried to search on our own; we shared our samples with industry colleagues, but the result was nothing. We managed to follow the malwareevolution from 2020 to 2022. In our talk we will conduct a deep dive into how GoblinRAT works, and perhaps, with the help of our colleagues from different parts of the world, we will manage to solve the riddle of GoblinRAT: shed light on its origin and activities outside of those we saw in our investigations.