Back

Bulbature, beneath the waves of GobRAT

Oct. 4, 2024, 12:41 p.m.

Tags

china
ddos
botnet
proxy
2024-10-04
gobrat
orb
edge devices
bulbature

External References

https://blog.sekoia.io/

https://otx.alienvault.com/

Description

This report examines an infrastructure used to control compromised edge devices transformed into Operational Relay Boxes for launching cyber attacks. The infrastructure, consisting of 63 identified servers, uses GobRAT and Bulbature malware to compromise devices and create a botnet. Features include automated exploitation, DDoS capabilities, and proxy creation. Evidence points to Chinese origin, with targeting focused on North America. The botnet comprised nearly 75,000 compromised devices as of July 2023, primarily Linux routers with ARM architecture. The sophisticated obfuscation and constant evolution of the malware since 2022 demonstrate the operators' intent to conceal their activities and maintain long-term access.

Date

Published Created Modified
Oct. 4, 2024, 10:11 a.m. Oct. 4, 2024, 10:11 a.m. Oct. 4, 2024, 12:41 p.m.

Indicators

b1c21264a60edb64895c8c61507211a829f13068541f875b615e6c1c363122ba

a6d184715cbb596edac024089ae493785ba3c4519b493946c8f850b4bd08836c

91eaa94223c12ddc89eca5220a8c57f0254f587f73c9edc161fc161a56e2c2f0

869a6cd8205af5ec1bf04e6abf0ff79f12e62a8eeae129b9e219e1179520bac3

743e15f8cfd54077406635bea803b26c574b1b5c3862b132779a8cf52d9ef903

726ac8f88c4585ccb2ce2e3325726230dc7bd2c7f6667085ac2f665c4ce3fb46

676cf55076127dab1403c3322d38bf72b62f8aaff25534e5af7b02fc1474a9c0

667dd21bc252eb7d7415fc13ab996575bbe451062d82c94b14d6ba750d95ab64

6632fe263bf687fb8d46dd29eaf90601350681aa1930a14e2aba2a16f6c3e040

48b243fd7ed8bc0b7ce663f0b3fc34f07fcf9fb04bf8bceaff8b7453ab4e5318

41e189a5b68f305ab6251a06475b76777bda0d035ea06cd569306ed5c98bdc98

27b6567f260dd689200bbda0794341b1edcf6039cfc1ae7adf0bc6477a16a1f9

3ab014dd8cc7878c4e840be84b111e6fa71de221c42c14b0becaf3827a744ab9

1f3a0144e717e7d93fe65877b4945a25c03b0722b6761e8fc96c8b5e62be3e46

173e2f90de78f8288e0172e900693d228ae1071cc80a4fe02a09af6cd37358e9

141bc0c7413665970cc33ba7b31f8e2ab0d1f9fb0363478aa6d3fd444e6745a4

0858c36ed2cf29d9f7de3d7b8d595e45d888da422e76bc9c9115a8f25027d5e7

91.196.70.165

78.141.218.239

68.183.89.48

67.219.101.151

64.227.130.48

64.176.56.252

64.176.49.89

64.176.47.133

5.34.178.144

64.176.228.78

47.96.119.186

5.34.176.150

45.77.34.148

45.76.177.40

45.32.33.92

45.76.154.241

38.60.223.81

38.60.223.208

38.60.223.51

38.60.221.63

38.60.221.32

38.60.221.174

38.60.221.145

38.60.212.233

38.60.212.167

38.60.212.13

38.60.206.78

38.60.203.83

38.60.203.61

38.60.203.167

38.60.203.21

38.60.203.141

38.60.196.86

38.60.134.236

38.54.88.248

38.54.85.70

38.54.85.246

38.54.85.244

38.54.85.21

38.54.85.178

38.54.56.5

38.54.85.164

38.54.56.45

38.54.50.253

38.54.50.163

38.54.50.120

38.180.9.2

38.180.74.236

38.180.74.228

38.180.74.180

38.180.74.173

38.180.74.14

38.180.29.229

38.180.29.5

38.180.191.118

38.180.189.108

38.180.188.92

38.180.128.52

38.180.106.179

38.180.106.12

207.148.69.74

207.148.125.75

195.80.148.142

188.116.22.59

178.128.96.236

176.97.73.215

176.97.73.199

176.97.73.171

158.247.223.125

154.90.63.215

154.90.63.156

154.90.62.247

154.90.62.201

154.223.21.181

154.223.21.80

154.223.21.160

154.223.21.16

154.223.20.215

154.205.155.3

154.205.137.248

154.205.136.160

154.205.128.210

154.205.128.194

141.164.47.248

140.82.38.225

139.84.230.198

139.84.227.52

139.84.177.244

139.84.174.102

139.84.167.48

139.84.170.90

139.84.163.73

139.84.147.229

139.59.80.77

139.180.212.224

139.180.200.78

139.180.139.12

108.61.127.186

103.57.248.40

104.238.176.171

38.180.106.167

Attack Patterns

Bulbature

GobRAT

T1584.004

T1543.002

T1562.004

T1587.001

T1588.002

T1588

T1587

T1222

T1614

T1497

T1222.002

T1016

T1082

T1057

T1083

T1071

T1595

T1543

T1140

T1027

T1112

T1584

T1562

T1190

T1133

CVE-2019-13956

CVE-2019-9082

CVE-2017-5638

Additional Informations

Sweden

Hong Kong

Singapore

Taiwan

Italy

Canada

Germany

United Kingdom of Great Britain and Northern Ireland

United States of America