TeamHood 
Introduction
In recent cybersecurity news, the ExCobalt cyber gang has emerged as a significant threat, targeting various Russian sectors with a sophisticated Golang-based backdoor known as GoRed. This article explores the group’s background, their methods, and the implications of their activities on the cybersecurity landscape.
Background of ExCobalt
ExCobalt, a cybercrime gang with roots tracing back to 2016, is believed to consist of former members of the infamous Cobalt Gang. The Cobalt Gang was notorious for its attacks on financial institutions, using tools like CobInt to steal funds. Since 2022, ExCobalt has adopted and evolved these tools, indicating a continuity and sophistication in their cyber espionage activities.
Targeted Sectors
Over the past year, ExCobalt has focused its attacks on a variety of sectors in Russia, including:
- Government: Attacking governmental institutions to gather sensitive information.
- Information Technology: Targeting IT firms to compromise infrastructure and exfiltrate data.
- Metallurgy and Mining: Disrupting operations and stealing proprietary information.
- Software Development: Infiltrating development environments to implant malicious code.
- Telecommunications: Breaching communication networks to monitor and steal data.
Initial Access and Methods
ExCobalt employs a combination of sophisticated techniques to gain initial access to target environments:
- Supply Chain Attacks: Compromising a component used in the target’s software development process.
- Exploiting Compromised Contractors: Leveraging previously compromised contractors to infiltrate the target systems.
Once inside, ExCobalt uses a variety of tools to maintain access and execute their malicious activities:
- Metasploit: For exploiting vulnerabilities and gaining control over systems.
- Mimikatz: To extract credentials from Windows systems.
- ProcDump and SMBExec: For executing commands and dumping process memory.
- Spark RAT: For remote access and control.
- Linux Privilege Escalation Exploits: Such as CVE-2019-13272, CVE-2021-3156, CVE-2021-4034, and CVE-2022-2586.
The GoRed Backdoor
The GoRed backdoor is a central tool in ExCobalt’s arsenal. It has undergone numerous iterations, enhancing its capabilities to:
- Execute Commands: Allowing the attackers to run arbitrary commands on infected systems.
- Credential Harvesting: Extracting and storing credentials from compromised systems.
- Data Collection: Gathering details about active processes, network interfaces, and file systems.
- Remote Procedure Call (RPC) Communication: Using RPC to communicate with command-and-control (C2) servers.
- Background Commands: Monitoring for files of interest and capturing passwords.
- Reverse Shell: Establishing a reverse shell for remote control.
The collected data is then exported to attacker-controlled infrastructure, enabling further exploitation and data theft.
Adaptability and Versatility
One of ExCobalt’s strengths lies in their ability to adapt and evolve their toolset. They continuously incorporate new tools and techniques, modifying standard utilities to bypass security controls and adapt to changes in protection methods. This flexibility makes them a formidable adversary in the cybersecurity landscape.
Implications and Conclusion
The activities of ExCobalt highlight the evolving nature of cyber threats and the increasing sophistication of cybercrime gangs. Their focus on diverse sectors and use of advanced tools like GoRed demonstrate the importance of robust cybersecurity measures across all industries. Organizations must remain vigilant, adopting comprehensive security practices to protect against such sophisticated threats.
ExCobalt’s continuous activity and determination underscore the need for ongoing vigilance and adaptation in cybersecurity strategies. As they add new tools and improve their techniques, it becomes crucial for security professionals to stay informed and proactive in defending against these advanced threats.
