The identified piece of malware targeting an unidentified software development company in Ukraine, whose clients include some government agencies, is a modified version of an open-source backdoor called “GoMet.”
The “GoMet” malware is written in the Go programming language and contains all the necessary features needed to remotely control an agent that can be deployed on different operating systems or processor architectures. The malware was first discovered on March 28, 2022.
Analysts believe that this cyber campaign is being orchestrated by entities funded by or acting in Russia’s interests, and that the intent of the threat is to gain access to the source of a supply chain-style attack.
A significant modification of this version of “GoMet” is that it checks to connect to its command and control server (C2), performing a check every 2 seconds (if the server is found to be unreachable, it will retry at a random interval of 5 to 10 minutes) .
Malicious activity, including fake scheduled Windows Update tasks. Also, the threat actor has taken proactive measures and a new approach to resilience to prevent their tools from being detected. Instead of creating a new autorun file, the software replaces one of the existing legitimate autorun executables with a malicious one, potentially helping to avoid detection.
Both malware samples have a hard-coded server IP address (C2): 126.96.36.199, a self-signed certificate that was generated as early as October 4, 2021, indicating that preparations for this cybercampaign began well in advance.
This access can be used in a variety of ways, including deeper access or launching more attacks, including potentially compromising the software supply chain.
Analysts expect Russian-sponsored criminal cyber groups to continue deploying some tools aimed at Ukraine and its partners in to gain extra leverage in the course of the war.