GoMet: Attack on Ukraine

The identified piece of malware targeting an unidentified software development company in Ukraine, whose clients include some government agencies, is a modified version of an open-source backdoor called “GoMet.”

The “GoMet” malware is written in the Go programming language and contains all the necessary features needed to remotely control an agent that can be deployed on different operating systems or processor architectures. The malware was first discovered on March 28, 2022.

Analysts believe that this cyber campaign is being orchestrated by entities funded by or acting in Russia’s interests, and that the intent of the threat is to gain access to the source of a supply chain-style attack.

A significant modification of this version of “GoMet” is that it checks to connect to its command and control server (C2), performing a check every 2 seconds (if the server is found to be unreachable, it will retry at a random interval of 5 to 10 minutes) .

Malicious activity, including fake scheduled Windows Update tasks. Also, the threat actor has taken proactive measures and a new approach to resilience to prevent their tools from being detected. Instead of creating a new autorun file, the software replaces one of the existing legitimate autorun executables with a malicious one, potentially helping to avoid detection.

Both malware samples have a hard-coded server IP address (C2):, a self-signed certificate that was generated as early as October 4, 2021, indicating that preparations for this cybercampaign began well in advance.

This access can be used in a variety of ways, including deeper access or launching more attacks, including potentially compromising the software supply chain.

Analysts expect Russian-sponsored criminal cyber groups to continue deploying some tools aimed at Ukraine and its partners in to gain extra leverage in the course of the war.

Pavlo Kryvenko

Head of AI and Cyber Security Section

He has been working as a Head of the Information and Cyber Security Section, Coordinator of the Artificial Intelligence Platform at the Center for Army, Conversion and Disarmament Studies (Kyiv, Ukraine). Pavlo is the Founder of GODDL company.

He has worked as a member of the delegation of the Communication Administration of Ukraine at the World Radiocommunication Conference (Geneva, Switzerland), as a Cyber Security Consultant at the Bar Association Defendo Capital (Kyiv, Ukraine).

Pavlo has collaborated with the National Communications and Informatization Regulatory Commission and the Ukrainian State Radio Frequency Center for International Frequency Coordination.

He studied at the Institute of International Relations of the Kyiv International University (Ukraine), the Joint Frequency Management Center of the US European Command, the LS telcom AG Training Center (Grafenwöhr, Germany), the UN International Peacekeeping and Security Center (Kyiv, Ukraine).

Contact Us
July 2022
Translate »