GoMet Backdoor Used to Target Ukraine

Industry: Technology | Level: Tactical | Source: Cisco Talos

Open sourced backdoor GoMet is reported as the latest malware putting Ukraine in its crosshairs confirms Cisco Talos. They also noted concerns with the campaign targeting a software development company, "We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful." GoMet started as an open-source project on GitHub on March 31st, 2019, with its usage as malware first observed on March 28th, 2022. Prior to this report, two known deployments of the backdoor were found through the exploitation of public vulnerabilities. Written in the Go programming language, GoMet supported a variety of features including "supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell. An additional notable feature of GoMet lies in its ability to daisy chain — whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers — connections from one implanted host to another." Detection of the malware was identified by Cisco Talos when a suspicious Windows update scheduled task was created. A unique anti-detection technique was observed as opposed to creating a new autorun key, GoMet enumerated the values in autorun and "replaced one of the existing goodware autorun executables with the malware." Key takeaways from this campaign are the potential of the threat actor executing a supply-chain attack through a software development company and the utilization of novel persistence techniques.

Anvilogic Use Case:

• Create/Modify Schtasks

‍