| Category | Details |
|---|---|
| Threat Actors | Likely Chinese origin, as inferred from traces and victimology |
| Campaign Overview | Compromise of edge devices using GobRAT and Bulbature malware, transforming them into Operational Relay Boxes (ORBs). |
| Target Regions (Or Victims) | Edge devices, including operational relay boxes used in various networks |
| Methodology | Staging servers deploy Bash scripts to install malware (GobRAT, Bulbature) on edge devices, which are then transformed into ORBs to relay attacks. |
| Product Targeted | Edge devices |
| Malware Reference | GobRAT (backdoor), Bulbature (implant) |
| Tools Used | Bash scripts, Fast Reverse Proxy (FRP), GobRAT, Bulbature |
| Vulnerabilities Exploited | No specific vulnerabilities mentioned; malware and compromised devices used for further attacks and exploitation. |
| TTPs | Use of self-signed certificates, exploitation of edge devices, deployment of RAT (GobRAT), proxy setup via Bulbature, DDoS, C2 communications. |
| Attribution | Likely linked to Chinese cyber groups, based on the infrastructure used and victimology observed. |
| Recommendations | Monitor edge devices, analyze traffic for signs of GobRAT or Bulbature, block suspicious C2 communications, ensure proper security measures on vulnerable devices. |
| Source | Sekoia Blog |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply