Bulbature, beneath the waves of GobRAT
Oct. 4, 2024, 12:41 p.m.
Tags
External References
Description
This report examines an infrastructure used to control compromised edge devices transformed into Operational Relay Boxes for launching cyber attacks. The infrastructure, consisting of 63 identified servers, uses GobRAT and Bulbature malware to compromise devices and create a botnet. Features include automated exploitation, DDoS capabilities, and proxy creation. Evidence points to Chinese origin, with targeting focused on North America. The botnet comprised nearly 75,000 compromised devices as of July 2023, primarily Linux routers with ARM architecture. The sophisticated obfuscation and constant evolution of the malware since 2022 demonstrate the operators' intent to conceal their activities and maintain long-term access.
Date
Published: Oct. 4, 2024, 10:11 a.m.
Created: Oct. 4, 2024, 10:11 a.m.
Modified: Oct. 4, 2024, 12:41 p.m.
Indicators
b1c21264a60edb64895c8c61507211a829f13068541f875b615e6c1c363122ba
a6d184715cbb596edac024089ae493785ba3c4519b493946c8f850b4bd08836c
91eaa94223c12ddc89eca5220a8c57f0254f587f73c9edc161fc161a56e2c2f0
869a6cd8205af5ec1bf04e6abf0ff79f12e62a8eeae129b9e219e1179520bac3
743e15f8cfd54077406635bea803b26c574b1b5c3862b132779a8cf52d9ef903
726ac8f88c4585ccb2ce2e3325726230dc7bd2c7f6667085ac2f665c4ce3fb46
676cf55076127dab1403c3322d38bf72b62f8aaff25534e5af7b02fc1474a9c0
667dd21bc252eb7d7415fc13ab996575bbe451062d82c94b14d6ba750d95ab64
6632fe263bf687fb8d46dd29eaf90601350681aa1930a14e2aba2a16f6c3e040
48b243fd7ed8bc0b7ce663f0b3fc34f07fcf9fb04bf8bceaff8b7453ab4e5318
41e189a5b68f305ab6251a06475b76777bda0d035ea06cd569306ed5c98bdc98
27b6567f260dd689200bbda0794341b1edcf6039cfc1ae7adf0bc6477a16a1f9
3ab014dd8cc7878c4e840be84b111e6fa71de221c42c14b0becaf3827a744ab9
1f3a0144e717e7d93fe65877b4945a25c03b0722b6761e8fc96c8b5e62be3e46
173e2f90de78f8288e0172e900693d228ae1071cc80a4fe02a09af6cd37358e9
141bc0c7413665970cc33ba7b31f8e2ab0d1f9fb0363478aa6d3fd444e6745a4
0858c36ed2cf29d9f7de3d7b8d595e45d888da422e76bc9c9115a8f25027d5e7
91.196.70.165
78.141.218.239
68.183.89.48
67.219.101.151
64.227.130.48
64.176.56.252
64.176.49.89
64.176.47.133
5.34.178.144
64.176.228.78
47.96.119.186
5.34.176.150
45.77.34.148
45.76.177.40
45.32.33.92
45.76.154.241
38.60.223.81
38.60.223.208
38.60.223.51
38.60.221.63
38.60.221.32
38.60.221.174
38.60.221.145
38.60.212.233
38.60.212.167
38.60.212.13
38.60.206.78
38.60.203.83
38.60.203.61
38.60.203.167
38.60.203.21
38.60.203.141
38.60.196.86
38.60.134.236
38.54.88.248
38.54.85.70
38.54.85.246
38.54.85.244
38.54.85.21
38.54.85.178
38.54.56.5
38.54.85.164
38.54.56.45
38.54.50.253
38.54.50.163
38.54.50.120
38.180.9.2
38.180.74.236
38.180.74.228
38.180.74.180
38.180.74.173
38.180.74.14
38.180.29.229
38.180.29.5
38.180.191.118
38.180.189.108
38.180.188.92
38.180.128.52
38.180.106.179
38.180.106.12
207.148.69.74
207.148.125.75
195.80.148.142
188.116.22.59
178.128.96.236
176.97.73.215
176.97.73.199
176.97.73.171
158.247.223.125
154.90.63.215
154.90.63.156
154.90.62.247
154.90.62.201
154.223.21.181
154.223.21.80
154.223.21.160
154.223.21.16
154.223.20.215
154.205.155.3
154.205.137.248
154.205.136.160
154.205.128.210
154.205.128.194
141.164.47.248
140.82.38.225
139.84.230.198
139.84.227.52
139.84.177.244
139.84.174.102
139.84.167.48
139.84.170.90
139.84.163.73
139.84.147.229
139.59.80.77
139.180.212.224
139.180.200.78
139.180.139.12
108.61.127.186
103.57.248.40
104.238.176.171
38.180.106.167
nbt201.dynamic-dns.net
eyh.ocry.com
Attack Patterns
Bulbature
GobRAT
T1584.004
T1543.002
T1562.004
T1587.001
T1588.002
T1588
T1587
T1222
T1614
T1497
T1222.002
T1016
T1082
T1057
T1083
T1071
T1595
T1543
T1140
T1027
T1112
T1584
T1562
T1190
T1133
CVE-2019-13956
CVE-2019-9082
CVE-2017-5638
Additional Informations
Sweden
Hong Kong
Singapore
Taiwan
Italy
Canada
Germany
United Kingdom of Great Britain and Northern Ireland
United States of America