A peculiar malware backdoor called GoMet has been utilised by threat actors in a campaign that targets big-time Ukrainian software development firms. Cybersecurity researchers firmly believe that these new attacks came from Russia and were executed by its state-sponsored threat groups.
GoMet is a standard piece of software coded in the Go programming language (Golang) and includes all the usual functions that a threat actor would want in a remotely controlled kit.
In addition, GoMet supports job scheduling tools by utilising Cron, or task scheduler, depending on the operating system (OS), single command execution, and the ability to access a shell or upload a file.
The newly discovered backdoor sports a daisy-chain attack capability in which hackers acquire initial access to a network or device to infiltrate other networks. This ability can also allow the adversaries to secure their connections to other computers from one infected host to another. Hence, threat actors can easily reach hosts isolated from the internet.
According to researchers, GoMet is a modified backdoor that targets several Ukrainian software firms.
As claimed by the researchers, the recent arrival of the backdoor is an attempt to execute supply chain attacks against the country. A few samples of the backdoor were also found with minimal differences, and they believed that despite their differences, they still have similar source codes.
In the altered version of the backdoor, cronjob was set to operate every couple of seconds instead of every hour. The threat actors employ this mechanism to prevent an hour-long sleep if a connection declines.
Additionally, if the malware fails to contact its command-and-control server, it will sleep for a random time, between five to ten minutes. The backdoor will then enumerate autorun values to avoid being examined by forensic analysis.
It also replaces one default goodware autorun executable with the malicious one instead of developing newer values. However, researchers are still puzzled about whether their attacks were successful.
As of now, Ukraine still suffers from the series of attacks which Russia deployed. To stay protected, government and private organisations should remain vigilant and follow the guidelines published by CERT-UA.
