A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an “uncommon” piece of malware, new research has found.
The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network.
“This access could be leveraged in a variety of ways including deeper access or to launch additional attacks, including the potential for software supply chain compromise,” Cisco Talos said in a report shared with The Hacker News.
Although there are no concrete indicators linking the attack to a single actor or group, the cybersecurity firm’s assessment points to Russian nation-state activity.
Public reporting into the use of GoMet in real-world attacks has so far uncovered only two documented cases to date: one in 2020, coinciding with the disclosure of CVE-2020-5902, a critical remote code execution flaw in F5’s BIG-IP networking devices.
The second instance involved the successful exploitation of CVE-2022-1040, a remote code execution vulnerability in Sophos Firewall, by an unnamed advanced persistent threat (APT) group earlier this year.
“We haven’t seen GoMet deployed across the other organizations we’ve been working closely with and monitoring so that implies it is targeted in some manner but could be in use against additional targets we don’t have visibility into,” Nick Biasini, head of outreach for Cisco Talos, told The Hacker News.
“We have also conducted relatively rigorous historical analysis and see very little use of GoMet historically which further indicates that it is being used in very targeted ways.”
GoMet, as the name implies, is written in Go and comes with features that allow the attacker to remotely commandeer the compromised system, including uploading and downloading files, running arbitrary commands, and using the initial foothold to propagate to other networks and systems via what’s called a daisy chain.
Another notable feature of the implant is its ability to run scheduled jobs using cron. While the original code is configured to execute cron jobs once every hour, the modified version of the backdoor used in the attack is built to run every two seconds and ascertain if the malware is connected to a command-and-control server.
“The majority of the attacks we’ve been seeing lately are related to access, either directly or through credential acquisition,” Biasini said. “This is another example of that with GoMet being deployed as a backdoor.”
“Once the access has been established, additional reconnaissance and more thorough operations can follow. We’re working to kill the attacks before they get to this stage so it’s difficult to predict the types of follow-on attacks.”
The findings come as the US Cyber Command on Wednesday shared the indicators of compromise (IoCs) pertaining to different types of malware such as GrimPlant, GraphSteel, Cobalt Strike Beacon, and MicroBackdoor targeting Ukrainian networks in recent months.
Cybersecurity firm Mandiant has since attributed the phishing attacks to two espionage actors tracked as UNC1151 (aka Ghostwriter) and UNC2589, the latter of which is suspected to “act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine.”
The uncategorized threat cluster UNC2589 is also believed to be behind the WhisperGate (aka PAYWIPE) data wiper attacks in mid-January 2022. Microsoft, which is tracking the same group under the name DEV-0586, has assessed it to be affiliated to Russia’s GRU military intelligence.