Bulbature, beneath the waves of GobRAT

Oct. 4, 2024, 12:41 p.m.

Description

This report examines an infrastructure used to control compromised edge devices transformed into Operational Relay Boxes for launching cyber attacks. The infrastructure, consisting of 63 identified servers, uses GobRAT and Bulbature malware to compromise devices and create a botnet. Features include automated exploitation, DDoS capabilities, and proxy creation. Evidence points to Chinese origin, with targeting focused on North America. The botnet comprised nearly 75,000 compromised devices as of July 2023, primarily Linux routers with ARM architecture. The sophisticated obfuscation and constant evolution of the malware since 2022 demonstrate the operators' intent to conceal their activities and maintain long-term access.

Date

  • Created: Oct. 4, 2024, 10:11 a.m.
  • Published: Oct. 4, 2024, 10:11 a.m.
  • Modified: Oct. 4, 2024, 12:41 p.m.

Indicators

  • b1c21264a60edb64895c8c61507211a829f13068541f875b615e6c1c363122ba
  • a6d184715cbb596edac024089ae493785ba3c4519b493946c8f850b4bd08836c
  • 91eaa94223c12ddc89eca5220a8c57f0254f587f73c9edc161fc161a56e2c2f0
  • 869a6cd8205af5ec1bf04e6abf0ff79f12e62a8eeae129b9e219e1179520bac3
  • 743e15f8cfd54077406635bea803b26c574b1b5c3862b132779a8cf52d9ef903
  • 726ac8f88c4585ccb2ce2e3325726230dc7bd2c7f6667085ac2f665c4ce3fb46
  • 676cf55076127dab1403c3322d38bf72b62f8aaff25534e5af7b02fc1474a9c0
  • 667dd21bc252eb7d7415fc13ab996575bbe451062d82c94b14d6ba750d95ab64
  • 6632fe263bf687fb8d46dd29eaf90601350681aa1930a14e2aba2a16f6c3e040
  • 48b243fd7ed8bc0b7ce663f0b3fc34f07fcf9fb04bf8bceaff8b7453ab4e5318
  • 41e189a5b68f305ab6251a06475b76777bda0d035ea06cd569306ed5c98bdc98
  • 27b6567f260dd689200bbda0794341b1edcf6039cfc1ae7adf0bc6477a16a1f9
  • 3ab014dd8cc7878c4e840be84b111e6fa71de221c42c14b0becaf3827a744ab9
  • 1f3a0144e717e7d93fe65877b4945a25c03b0722b6761e8fc96c8b5e62be3e46
  • 173e2f90de78f8288e0172e900693d228ae1071cc80a4fe02a09af6cd37358e9
  • 141bc0c7413665970cc33ba7b31f8e2ab0d1f9fb0363478aa6d3fd444e6745a4
  • 0858c36ed2cf29d9f7de3d7b8d595e45d888da422e76bc9c9115a8f25027d5e7
  • 91.196.70.165
  • 78.141.218.239
  • 68.183.89.48
  • 67.219.101.151
  • 64.227.130.48
  • 64.176.56.252
  • 64.176.49.89
  • 64.176.47.133
  • 5.34.178.144
  • 64.176.228.78
  • 47.96.119.186
  • 5.34.176.150
  • 45.77.34.148
  • 45.76.177.40
  • 45.32.33.92
  • 45.76.154.241
  • 38.60.223.81
  • 38.60.223.208
  • 38.60.223.51
  • 38.60.221.63
  • 38.60.221.32
  • 38.60.221.174
  • 38.60.221.145
  • 38.60.212.233
  • 38.60.212.167
  • 38.60.212.13
  • 38.60.206.78
  • 38.60.203.83
  • 38.60.203.61
  • 38.60.203.167
  • 38.60.203.21
  • 38.60.203.141
  • 38.60.196.86
  • 38.60.134.236
  • 38.54.88.248
  • 38.54.85.70
  • 38.54.85.246
  • 38.54.85.244
  • 38.54.85.21
  • 38.54.85.178
  • 38.54.56.5
  • 38.54.85.164
  • 38.54.56.45
  • 38.54.50.253
  • 38.54.50.163
  • 38.54.50.120
  • 38.180.9.2
  • 38.180.74.236
  • 38.180.74.228
  • 38.180.74.180
  • 38.180.74.173
  • 38.180.74.14
  • 38.180.29.229
  • 38.180.29.5
  • 38.180.191.118
  • 38.180.189.108
  • 38.180.188.92
  • 38.180.128.52
  • 38.180.106.179
  • 38.180.106.12
  • 207.148.69.74
  • 207.148.125.75
  • 195.80.148.142
  • 188.116.22.59
  • 178.128.96.236
  • 176.97.73.215
  • 176.97.73.199
  • 176.97.73.171
  • 158.247.223.125
  • 154.90.63.215
  • 154.90.63.156
  • 154.90.62.247
  • 154.90.62.201
  • 154.223.21.181
  • 154.223.21.80
  • 154.223.21.160
  • 154.223.21.16
  • 154.223.20.215
  • 154.205.155.3
  • 154.205.137.248
  • 154.205.136.160
  • 154.205.128.210
  • 154.205.128.194
  • 141.164.47.248
  • 140.82.38.225
  • 139.84.230.198
  • 139.84.227.52
  • 139.84.177.244
  • 139.84.174.102
  • 139.84.167.48
  • 139.84.170.90
  • 139.84.163.73
  • 139.84.147.229
  • 139.59.80.77
  • 139.180.212.224
  • 139.180.200.78
  • 139.180.139.12
  • 108.61.127.186
  • 103.57.248.40
  • 104.238.176.171
  • 38.180.106.167
  • nbt201.dynamic-dns.net
  • eyh.ocry.com

Additional Informations

  • Sweden
  • Hong Kong
  • Singapore
  • Taiwan
  • Italy
  • Canada
  • Germany
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America

Linked vulnerabilities