GobRAT, a new Golang remote access trojan (RAT), is aimed at Linux routers in Japan. The JPCERT Coordination Centre (JPCERT/CC) stated in a report released today that the attacker first targets a router whose WEBUI is accessible to the public, then executes scripts possibly leveraging vulnerabilities, and lastly infects the GobRAT.
impersonates the Apache daemon process (apached) to avoid detection, after an internet-exposed router has been compromised. The loader can also disable firewalls, create persistence via the cron job scheduler, and authorise remote access by registering an SSH public key in the.ssh/authorized_keys file.