ExCobalt: GoRed, the hidden-tunnel technique
By Positive Technologies
Published: 2024-08-19 · Archived: 2026-04-02 12:34:41 UTC
Introduction
While responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor
written in Go, which we attributed to a cybercrime gang dubbed ExCobalt.
ExCobalt focuses on cyberespionage and includes several members active since at least 2016 and presumably once part
of the notorious Cobalt gang. Cobalt attacked financial institutions to steal funds. One of Cobalt's hallmarks was the use
of the CobInt tool, something ExCobalt began to use in 2022.
Over the past year, the PT ESC has recorded attacks linked to ExCobalt and investigated related incidents at Russian
organizations in the following sectors:
Metallurgy
Telecommunications
Mining
Information technology
Government
Software development
This article discusses ExCobalt's new tool, GoRed, how it evolved, and some of the tactics, techniques, and procedures that
the group has used in its attacks.
The investigation begins
While investigating an incident recorded in March 2024 on one of our client's Linux hosts, we discovered a file named
scrond, compressed with UPX (Ultimate Packer for eXecutables).
The data in an unpacked sample, written in Go, included package paths containing the substring "red.team/go-red/". This
fact suggests that this sample is a proprietary tool called GoRed.
After investigating the site, we were unable to find any significant links to malicious activity. Therefore, we can assume that
the red.team domain found in the GoRed strings is a local repository with penetration testing tools.bsp;longer actively used
by its creators. All the information dates back to 2019, and the design is typical of many similar sites.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 1 of 27

Figure 1. Internal packages
As for the GoRed backdoor, the following key features can be identified:
Operators can connect to the backdoor and execute commands, similar to other C2 frameworks like Cobalt Strike
or Sliver.
GoRed uses the RPC protocol to communicate with its C2 server.
Operators use DNS/ICMP tunneling, WSS, and QUIC to communicate with GoRed.
GoRed can obtain credentials from compromised systems.
It collects various types of information from compromised systems: details of active processes, host names, lists
of network interfaces, file system structures, and so on.
Operators use a variety of commands to conduct reconnaissance on the victim's network.
GoRed serializes, encrypts, archives, and sends data it collects to a special server dedicated to storing compromised
data.
For a complete technical description of GoRed, see the further section "GoRed analysis".
First version of GoRed and other malicious tools we found
As we analyzed GoRed, we found that we had already come across several versions of the backdoor while responding
to incidents at several of our clients earlier. For example, in July 2023, as we were investigating an incident at a certain
company, we discovered several different tools inside the attackers' directories due to an error they had made, one of tools
being the original version of GoRed.
Similarly, in an October 2023 incident, we found further tools inside public directories on the attackers' network. A short
name and description of each tool we found during the investigations are presented in the table below.
2586
CVE-2022-2586: a Linux kernel vulnerability associated with pointer abuse in the io_uring
function. This was used by the threat actor to escalate privileges and execute arbitrary code
in the vulnerable system
3156.zip
CVE-2021-3156: a sudo vulnerability known as Baron Samedit. This allows a local user
to execute arbitrary code with root privileges, bypassing standard security controls
4034
Pwnkit is a local privilege escalation exploit for CVE-2021-4034. This is a vulnerability in the
pkexec utility. It allows local users to escalate their privileges to root, which can lead
to complete compromise of the system
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 2 of 27

traceme
Local privilege escalation exploit for CVE-2019-13272. This is a vulnerability in the Linux
kernel, in the ptrace component. It allows users with CAP_SYS_PTRACE privileges
to escalate their privileges to root to execute arbitrary code in the system
bitrix.zip
This is an archive with vote_agent.php and html_editor_action.php files, containing RCE
exploits for Bitrix. It was distributed via Telegram channels in June 2022, and also mentioned
in connection with the May 2023 mass defacement of Russian websites
(https://habr.com/ru/companies/ruvds/articles/739898/)
col First version of the GoRed backdoor: 0.0.1
fs fscan (https://github.com/shadow1ng/fscan/)
get_wp-commentin.txt
Obfuscated PHP file
run
FreeBSD file. Runs the specified executable file as root, same as the command sudo exec <
specified file>
set
FreeBSD file. Sets root as file owner and grants rwx (read, write, execute) permissions to it,
same as the commands chown < file> 0; chmof < file> 777
install Installs a malicious module for Apache 2.4
install[drop]
Contains a dropper with a UPX-compressed binary file that is written to /usr/local/games/w.
The file’s privileges are then changed: chown root:root; chmod 4755
install[drop][upx]
/usr/local/games/w
Tries to run the following command as root:
(setuid(0); setgid(0); /bin/sh -c...))
k
Contains the following set of basic network utilities and replaces the process name with [kthr]:
curl Stripped down version of curl
socksd Proxy (socks4/5 with user+pass support)
shell Bind shell
host Resolves a host’s name via the 8.8.8.8 DNS server
hash MD5/SHA-1/SHA-256
gz Inflate/deflate functionality
netcat -
kit
Shell script to install kitsune. The MEGATSUNE variable was used instead of KITSUNE.
amd64.rpm-bin.link and pkg.dpkg-source.info were used as the C2s
lock.zip Part of the locker wiper ransomware repository with a read.me file in Russian inside
locker Locker from lock.zip without the configuration files
m Mettle (https://github.com/rapid7/mettle)
rev Bind shell, shares code with shell from k, renames process to [kr]
sf Binary for BSD
spark Spark RAT
w.txt
PHP web shell: WSO
(https://github.com/ndbrain/WSO)
wef Variant of reverse SSH client (https://github.com/NHAS/reverse_ssh)
y.txt PHP shell: p0wny-shell
knife/k We found this file several months after the above-mentioned k, also in a public directory but
in a different domain. It was also named k, and the functionality is similar, which suggests that
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 3 of 27

this is simply the next version. This is a tool to control a compromised Linux server. It has
extensive functionality; commands to execute are specified in the command line:
sync No handler. Causes segfault if run
curl < url> Loads content from specified URL
socksd Starts a SOCKS server
netcat No handler. Causes segfault if run
host < host> Tries to resolve the host’s name via the 8.8.8.8:53 DNS server
hash < filename> Calculates the file’s hash (MD5, SHA-1, SHA-256 are available)
gz < filename> Compresses the file
shell < options> < IP
address:port>
Remote shell. The command can be run with the following possible
options: -l (listen to the specified address) or -c (connect to the
specified address)
In addition to the tools obtained from the threat actors' server directories, ExCobalt used the following tools:
Mimikatz
ProcDump
SMBExec
Metasploit
rsocx
Modified versions of standard utilities
Besides the above tools found in public directories, we came across modified versions of standard Linux utilities in several
incidents, something we first saw in November 2023.
The modification of utilities serves two purposes:
1. Modified ps and htop hide an active core process of the gsocket module and related processes in terminal output.
Let's take ps as an example.
The simple_readproc function was modified.
The original code looks as follows:
Figure 2. Original ps code
The following code was added:
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 4 of 27

Figure 3. Code added to ps
The is_target_proc function checks for every process whether its name is equal to any of the hardcoded names of malicious
processes:
Figure 4. The check inside is_target_proc
If the check returns true, the process will be hidden in the terminal output. Here's the list of the names of malicious
processes hidden this way:
Figure 5. Names of malicious processes
2. Modified ss and netstat hide the active network connection of the core module of gsocket in terminal output.
Let's take netstat as an example.
The first code modification was made in the main function.
The original code looks as follows:
Figure 6. Original code of the main function of netstat
First, code was added to copy all C2s from the data section to a global structure:
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 5 of 27

Figure 7. Copying the C2s to a global structure
Second modification was in the tcp_do_one function, starting here:
Figure 8. Original code of the tcp_do_one function of netstat
Checks for the name of the malicious process and malicious connection were added to the code. If the check returns true, the
process with one of the hardcoded names or network connections will be hidden:
Figure 9. Checking for the name of the malicious process and malicious connection
Relation to ExCobalt
In November 2023, we discussed ExCobalt's attacks on Russian companies.
In that report, we mentioned the domain lib.rpm-bin.link, where upon directory enumeration we found many of the tools
described above—including col, the first version of GoRed.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 6 of 27

Also, in a March 2024 incident, we observed infected hosts that contacted the threat actor's servers: get.rpm-bin.link and
leo.rpm-bin.link. Additionally, GoRed used a static_TransportConfig structure with the following C2s:
leo.rpm-bin.link
sula.rpm-bin.link
lib.rest
rosm.pro
In May 2023, Bi.Zone researchers released an analysis of attacks by Sneaking Leprechaun, whose tools showed some
overlap with the above-mentioned files found inside the public directories.
Furthermore, our colleagues at Rostelecom-Solar in May 2024 released a report on the Shedding Zmiy activity cluster,
which also correlated with ExCobalt. Case 7 in this report described the same attack and a GoRed stealer sample with
a C2 at pkg.collect.net.in. This sample was designated as Bulldog Backdoor in the report.
GoRed analysis
Before we proceed to analyzing the current version of GoRed, we will provide a retrospective analysis of its evolution.
Versions we found
All the versions we found are shown in the table below.
Version Description
0.0.1
Assumed to be the first one.
Collects information about the victim.
Source obfuscated with garble.
0.0.9
Debug build: GoRed activity logging enabled.
Built-in configuration expanded.
Collects information about the victim.
Source obfuscated with garble.
0.0.9
Built-in configuration expanded.
Collects information about the victim.
Source obfuscated with garble.
0.0.13
Removed garble obfuscation.
Added control flow based on a command line interface.
Added reverse shell functionality via the WSS and DNS protocols.
Collects only processes.
Added a configuration structure absent in previous versions.
0.0.23-10-g4528ef3
Added collection of network interfaces.
Added beacon mode (gecko command).
Added protocols for an operator to connect via DNS, ICMP, QUIC, WSS.
Added CBOR codec for RPC support.
Added proxy mode.
Implemented updating functionality.
Added file system monitoring (birdwatch command).
Added ICMP tunneling.
0.1.3-4-g68c293d This version is mentioned only in the Solar report; we have not come across it.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 7 of 27

Version Description
0.1.3-62-g4843e53
Expanded victim data collection feature (collector command).
Added transport configuration.
0.1.4 No changes found from previous version.
This article examines the current version, 0.1.4.
Internal packages
First, we will describe the structure of the internal packages and their purpose to give you an understanding of GoRed
functionality. In the backdoor's data, we have found the following package paths containing the substring "red.team/go-red/":
Package Purpose
red.team/go-red/config/ Retrieval of the internal and transport configurations
red.team/go-red/bb/ Processing of an operator's commands
red.team/go-red/birdwatch/ Monitoring of the file system
red.team/go-red/gecko/ Protocol for communication between GoRed and its C2
red.team/go-red/backend/ Connecting to a data exfiltration server
red.team/go-red/collector/ Collecting system information
red.team/go-red/util/ Various auxiliary utilities
red.team/go-red/packer/ Data packing
red.team/go-red/proxy/ Proxy mode operation
red.team/go-red/revshell/ Reverse shell mode operation
red.team/go-red/dns/ DNS tunneling implementation
red.team/go-red/icmptunnel/ ICMP tunneling implementation
Let's now proceed to analysis proper. Here's a simplified diagram of the control flow to give you an understanding of how
it works.
Figure 10. Diagram of the control flow
1. Start of execution
The control flow relies on the command line interface (CLI). However, before passing control to the CLI, the backdoor
initializes a number of commands, which are described below.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 8 of 27

service command
gecko subcommand
Figure 11. Initializing the command and subcommand
The service command, intended for gaining persistence in the system, is initialized first. The GoRed CLI command
structure looks as follows:
 
struct cli_Command
{
 string Name;
 _slice_string Aliases;
 string Usage;
 string UsageText;
 string Description;
 string ArgsUsage;
 string Category;
 PTR_cli_BashCompleteFunc BashComplete;
 PTR_cli_BeforeFunc Before;
 PTR_cli_AfterFunc After;
 PTR_cli_ActionFunc Action;
 PTR_cli_OnUsageErrorFunc OnUsageError;
 _slice__ptr_cli_Command Subcommands;
 _slice_cli_Flag Flags;
 cli_FlagCategories flagCategories;
 bool SkipFlagParsing;
 bool HideHelp;
 bool HideHelpCommand;
 bool Hidden;
 bool UseShortOptionHandling;
 string HelpName;
 _slice_string commandNamePath;
 string CustomHelpTemplate;
 cli_CommandCategories categories;
 bool isRoot;
 cli_separatorSpec separator;
};
In terms of command identification, the most helpful fields in this structure are the following:
Name: command name
Usage: command description
Action: function called when the command is executed
Subcommands: subcommands for the current command
Next, the structure of the CLI itself is initialized into the variable app.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 9 of 27

Figure 12. Initializing the app structure for the CLI
The app structure looks as follows:
 
struct cli_App
{
 string Name;
 string HelpName;
 string Usage;
 string UsageText;
 string ArgsUsage;
 string Version;
 string Description;
 string DefaultCommand;
 _slice__ptr_cli_Command Commands;
 _slice_cli_Flag Flags;
 bool EnableBashCompletion;
 bool HideHelp;
 bool HideHelpCommand;
 bool HideVersion;
 cli_CommandCategories categories;
 cli_FlagCategories flagCategories;
 PTR_cli_BashCompleteFunc BashComplete;
 PTR_cli_BeforeFunc Before;
 PTR_cli_AfterFunc After;
 PTR_cli_ActionFunc Action;
 PTR_cli_CommandNotFoundFunc CommandNotFound;
 PTR_cli_OnUsageErrorFunc OnUsageError;
 PTR_cli_InvalidFlagAccessFunc InvalidFlagAccessHandler;
 time_Time Compiled;
 _slice__ptr_cli_Author Authors;
 string Copyright;
 io_Reader Reader;
 io_Writer Writer;
 io_Writer ErrWriter;
 PTR_cli_ExitErrHandlerFunc ExitErrHandler;
 map_string_interface_ Metadata;
 PTR_func_map_string_string ExtraInfo;
 string CustomAppHelpTemplate;
 string SliceFlagSeparator;
 bool DisableSliceFlagSeparator;
 bool UseShortOptionHandling;
 bool Suggest;
 bool AllowExtFlags;
 bool SkipFlagParsing;
 bool didSetup;
 cli_separatorSpec separator;
 _ptr_cli_Command rootCommand;
};
Here, too, the most informative fields for identifying commands are as follows:
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 10 of 27

Name: current command name
Action: function called
Commands: subcommands for the current command
The Commands field for the app structure is also initialized.
Figure 13. Initializing the CLI context structure
Next, the Logging field is retrieved from the embedded_Config structure described in the section below. After this, the
control flow moves to the CLI.
Figure 14. Transferring control to the CLI
2. Gaining persistence in the system
The first command to be executed is service. It achieves persistence in the system. It can be executed with the following
options:
Option Purpose
no-service Simply proceeds to executing CLI commands
uninstall Removes the service
restart Restarts the service
If there are no options from the table above, it gains persistence as a service with the name it received as an argument.
To maintain presence in the compromised system, it creates environment variables whose names begin with "BB", for
example:
BB_WS
BB_QUIC
BB_ICMP
BB_DNS
BB_START_DELAY
3. Initializing beacon mode
The control flow is then transferred to the gecko command. This command is the entry point for GoRed to run in beacon
mode.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 11 of 27

Figure 15. Execution options for the gecko command
It can be executed with the following options:
Option Purpose
wss
Use the corresponding protocol for communication between the operator and GoRed
quic
icmp
dns
background Run the command in the background
start-delay Add delay in communications with the C2
Depending on the protocol received as an option, the command fetches the C2 from the transport configuration whose
structure is described in the section below. It then begins initializing the beacon functionality.
Figure 16. Initializing the beacon functionality
To identify the victim, the malware first generates an ID, which is an MD5 hash of the computer's MAC addresses and
name, similarly to the case described in our Hellhounds: Operation Lahat article. The resulting hash sum is added to a field
in the client structure, which stores all data required for communication with the C2.
Figure 17. Obtaining a victim ID
4. Establishing an initial connection
After GoRed is initialized, it needs to connect to its C2. The number of connection attempts is defined in the backoff
package.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 12 of 27

Figure 18. Setting the number of C2 connection attempts
The execution flow calls the function that registers the beacon functionality, after which the CLI commands are initialized.
Figure 19. Starting beacon functionality
Registration uses the RPC protocol. Data in the model_Beacon structure is sent to the server, and data in the model_Auth
structure is used for authentication with the server.
 
struct model_RegisterBeaconRequest
{
 model_Beacon Beacon;
 model_Auth Auth;
};
struct model_Beacon
{
 string ID;
 string Hostname;
 string ClientIPs;
 _slice_string Tags;
 string OS;
 string Username;
};
struct model_Auth
{
 string Token;
 uuid_UUID ClientID;
 string Transport;
};
The fields in these structures have the following purposes:
Field Purpose
Beacon
The structure containing victim information
Field Purpose
ID Victim's ID
Hostname Victim's hostname
ClientIPs Victim's IP addresses
Tags Victim's tag
OS Victim's operating system
Username Victim's username
Auth The structure containing authentication data
Field Purpose
Token Authentication token
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 13 of 27

Field Purpose
ClientID Client ID
Transport Protocol being used
After registering, GoRed runs the birdwatch command to monitor the file system.
Figure 20. Running birdwatch in the background
The execution flow then sets a GoRed beacon mode heartbeat period (for signaling to C2).
Figure 21. Setting a heartbeat period
The execution flow then runs a command to monitor the password file stored in /etc/shadow/.
Figure 22. Running creds-watcher in the background
Finally, the execution flow initializes all available commands and goes into heartbeat mode.
Figure 23. Entering heartbeat mode
5. Entering listen and execute mode
At the final stage of initialization, GoRed starts listening for the operator's commands that it previously initialized. It can
execute both system and built-in commands. Commands can be set to run in the background.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 14 of 27

Figure 24. Function to set a command to run in the background
6. Communications in beacon mode
GoRed uses the RPC protocol to communicate with its C2 in beacon mode.
Figure 25. RPC functionality
It registers a custom codec to communicate via RPC.
Figure 26. Custom RPC codec functionality
The registered codec serializes data with CBOR and encrypts with AES-256-GCM (Secret field in embedded_Config) when
sending, and does the reverse when receiving.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 15 of 27

Figure 27. Function that transforms data for exfiltration
Configurations
GoRed contains two configuration blocks: built-in and transport.
Built-in configuration
This is the configuration of GoRed itself. It is encoded in Base64 and serialized with msgpack.
Figure 28. Built-in configuration
For versions 0.0.23-10-g4528ef3 through 0.1.4, the structure of the built-in configuration is as follows:
 
struct embedded_Config
{
 string Logging;
 string Token;
 uuid_UUID UserID;
 uuid_UUID ClientID;
 string ClientKey;
 string Version;
 _slice_string Tags;
 _slice_string Args;
 string Secret;
 _ptr_url_URL BackendAddress;
 _ptr_url_URL ProxyAddress;
};
The purposes of the built-in configuration fields are as follows:
Field Purpose
Logging
Logging and log format:
No logging
To a .log file in a temporary directory
Directly to the operator's console
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 16 of 27

Field Purpose
Token Generated JWT for RPC
UserID UUID for the payload field in the JWT (when using RPC)
ClientID Unique identifier for the exfiltrated data of the victim
ClientKey HS256 key needed to generate the JWT when exfiltrating data
Version GoRed version
Tags Victim's tag
Args GoRed arguments
Secret AES-256-GCM key for encrypting or decrypting the data transmitted or received via RPC
BackendAddress Address of a dedicated server for data exfiltration
ProxyAddress List of proxy addresses for data exfiltration
Configuration structure for versions 0.0.9 through 0.0.13.
 
struct embedded_Config
{
 bool Debug;
 string Token;
 uuid_UUID ClientID;
 string ClientKey;
 string Version;
 _slice_string Tags;
 string Secret;
 string BasicAuthLogin;
 string BasicAuthPass;
 _ptr_url_URL BackendAddress;
 _ptr_url_URL ProxyAddress;
};
The fields in this version of the built-in configuration have the following purposes:
Field Purpose
Debug
Logging and log format:
No logging
To a .log file in a temporary directory
Directly to the operator's console
BasicAuthLogin Login for authentication when using the curl command
BasicAuthPass Password for authentication when using the curl command
Built-in configuration for version 0.0.1.
 
struct embedded_Config
{
 bool Debug;
 uuid_UUID ClientID;
 string ClientKey;
 string Version;
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 17 of 27

_ptr_url_URL BackendAddress;
};
Golang script for getting built-in configuration fields:
 
package main
import (
 "encoding/base64"
 "fmt"
 "net/url"
 "github.com/google/uuid"
 "github.com/vmihailenco/msgpack/v5"
)
type embedded_Config struct {
 Logging string
 Token string
 UserID uuid.UUID
 ClientID uuid.UUID
 ClientKey string
 Version string
 Tags []string
 Args []string
 Secret string
 BackendAddress* url.URL
 ProxyAddress* url.URL
}
const config = `...`
func main() {
 var item map[string]any
 data, _ : = base64.StdEncoding.DecodeString(config)
 err : = msgpack.Unmarshal(data, &item)
 if err != nil{
 panic(err)
 }
 fmt.Print("Logging: ")
 fmt.Println(item["Logging"])
 fmt.Print("Token: ")
 fmt.Println(item["Token"])
 fmt.Print("UserID: ")
 fmt.Println(uuid.UUID(item["UserID"].([]byte)))
 fmt.Print("ClientID: ")
 fmt.Println(uuid.UUID(item["ClientID"].([]byte)))
 fmt.Print("ClientKey: ")
 fmt.Println(item["ClientKey"])
 fmt.Print("Version: ")
 fmt.Println(item["Version"])
 fmt.Print("Tags: ")
 fmt.Println(item["Tags"])
 fmt.Print("Args: ")
 fmt.Println(item["Args"])
 fmt.Print("Secret: ")
 fmt.Println(item["Secret"])
 fmt.Print("BackendAddress: ")
 fmt.Println(string(item["BackendAddress"].([]byte)))
 fmt.Print("ProxyAddress: ")
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 18 of 27

fmt.Println(item["ProxyAddress"])
}
Python script for getting built-in configuration fields:
 
import msgpack
import base64
s = base64.b64decode('...')
config = msgpack.unpackb(s, raw = False)
print(config)
Transport configuration
The transport configuration looks as follows:
Figure 29. Transport configuration
It has the following structure:
 
struct static_TransportConfig
{
 static_Transport Revsh;
 static_Transport RPC;
 static_Transport Proxy;
};
struct static_Transport
{
 _ptr_static_Address WS;
 _ptr_static_Address QUIC;
 _ptr_static_Address ICMP;
 _ptr_static_Address DNS;
 _ptr_static_Address TCP;
};
struct static_Address
{
 string Domain;
 string BackupIP;
 signed __int64 Port;
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 19 of 27

string Proto;
};
The fields of the static_TransportConfig structure have the following purposes:
Field Purpose
Revsh Reverse shell connection addresses for an operator
RPC Addresses for GoRed beacon mode RPC heartbeats
Proxy Addresses for running GoRed in proxy mode
The fields of the static_Address structure have the following purposes:
Field Purpose
Domain Domain to connect to
BackupIP IP to connect to if the domain cannot be resolved
Port Connection port
Proto Connection protocol
Communication protocols
GoRed has several protocols for communicating with the operator.
Protocol Implementation
ws Implements WebSocket connection
quic Implements QUIC connection
icmp Implements ICMP tunneling
dns Implements DNS tunneling
DNS
DNS tunneling in GoRed can use Base64 or Base32. This option is selected during compilation.
Figure 30. Using Base32 for traffic tunneling
An example of a domain used in an attack is
8E1A4QB4OGA66RPJCHL72DJGCKRMIOR8CDN3EDJBDOOAEQ3FEDQ5UQB4OGA66RP.JCHL6EDJGCKRMIOR8CDN3EDJBD
Background commands
Background commands run continuously; some of them can be added to the background or removed, depending on the
conditions in the table below.
Command Description
birdwatch
Watches for new files inside directories. Runs in the background by default.
list: subcommand to print a list of paths monitored for new files.
unwatch: subcommand to stop monitoring paths for new files.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 20 of 27

Command Description
creds-watcher Watches for passwords. Runs in the background by default.
revsh-host
Enables reverse shell mode. Runs in the background upon execution.
Sets WebSocket as the communication protocol between the operator and GoRed.
Sets QUIC as the communication protocol between the operator and GoRed.
Sets ICMP as the communication protocol between the operator and GoRed.
Sets DNS as the communication protocol between the operator and GoRed.
rev-proxy Enables reverse proxy mode via SOCKS5. Runs in the background upon execution.
rev-fwd Enables reverse port forwarding mode. Runs in the background upon execution.
Connecting in rev-proxy and rev-fwd mode
Before starting to act as a server, GoRed needs to initialize an embedded X.509 certificate, similarly to the case described
in our Hellhounds: Operation Lahat. Part 2 article.
Figure 31. Retrieving the certificate and host information
The backdoor also needs to collect information about the victim's host by executing the CollectHostInfo function shown
above. This produces the structure presented below, except for the Addr field.
 
struct proto_HostInfo
{
 string Addr;
 string OS;
 string Username;
 string Hostname;
 _slice_string IPs;
};
The fields in the structure have the following purposes:
Field Purpose
Addr Address to connect to, passed to the command as a parameter
OS Victim's operating system
Username Victim's username
Hostname Victim's hostname
IPs Victim's IP addresses
A structure to identify GoRed as a server is initialized as follows:
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 21 of 27

Figure 32. Initializing the structure
The initialized structure looks as follows:
 
struct proto_BinInfo
{
 uuid_UUID ClientID;
 string Token;
 _slice_string Tags;
};
The fields in the structure have the following purposes:
Field Purpose
ClientID Identifies the victim
Token Generated JWT for RPC
Tags Victim's tag
Having received the proto_HostInfo and proto_BinInfo structures, GoRed uses their fields in a handshake message that
it sends to the C2 at the address it gets from the transport configuration. The handshake message structure looks as follows:
 
struct proto_MsgGreeting
{
 proto_ConnectionMode Mode;
 string MachineID;
 proto_BinInfo BinInfo;
 _ptr_proto_HostInfo HostInfo;
};
The fields in the structure have the following purposes:
Field Purpose
Mode
The following modes are supported:
2: rev-proxy mode
3: rev-fwd mode
MachineID Victim's computer ID
BinInfo Structure containing the GoRed configuration information
HostInfo Structure containing victim information
The handshake sequence used to register GoRed as a server looks as follows:
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 22 of 27

Figure 33. Communications with the C2
In response to the handshake message, the server sends a message with the following structure:
 
struct proto_MsgGreetingResponse
{
 string Greeting;
 _ptr_proto_BinInfo BinInfo;
 _ptr_proto_HostInfo HostInfo;
};
If the Greeting field contains the string "welcome", the connection is considered successful, and GoRed starts running
in server mode; if not, the connection cannot be established.
Issued commands
The operator uses the following commands to communicate with GoRed:
Command Description
upload Exfiltrates files. Takes a file path as the argument
download Downloads files onto the infected computer. Takes a file path as the argument
bg-list Displays a list of internal background commands
bg-stop
Cancels an internal background command. Takes a command ID as an argument. Can be used to stop
all background commands
stealth
Automatically sets the heartbeat frequency within a larger range for greater stealth.
on: subcommand that enables this mode with the time range 0×9D29229E000—
0×105EF39B2000
off: subcommand that disables this mode with the time range 0×12A05F200—0×45D964B800
emit-period Gets or sets a heartbeat frequency manually
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 23 of 27

Command Description
conn-providers
Gets the communication protocols available in the current version of GoRed
info
Gets victim information:
UserID
Logging
Tags
Version
Time
collect Collects and exfiltrates system information. See the section below for more details
bb-update
Updates GoRed. Sends a GET request to the URL passed as the argument and restarts GoRed with the
restart argument
bb-ps Gets the status of the process passed as the argument
bb-cat Reads the file passed as the argument
bb-find Searches for files passed as the argument
bb-ls Displays the contents of the directory passed as the argument
bb-mkdir Creates the directory passed as the argument
bb-pwd Returns the full path of the current directory
bb-rm Deletes the file passed as the argument
bb-wc
Collects information about the file passed as the argument:
Number of words
Number of lines
Number of characters
Number of bytes
bb-nmap Scans the network. Takes a host IP as the argument
bb-ping Pings an external host. Takes an IP as the argument
bb-wget
Gets files via HTTP. Takes two arguments: the source URL and the output filename specified after the
—output option
bb-curl Similar to curl, but with limited functionality
collect
Since this command collects system information and data for subsequent exfiltration, we decided to describe it in more
detail:
Option Purpose
local-archive Selects a compression algorithm: tar or gzip
skip-trees Skips collecting file system structure information
skip-files Skips collecting files
exec-timeout Sets a time period for collecting files
Collected information
An example of the code used to collect information is shown below.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 24 of 27

Figure 34. Example of the code used to collect information
A complete list of collected information is provided in the table below.
File Contents
processes.json List of processes
envvars.json List of environment variables
host.json Information about the processor, RAM, installed OS, user name, group name
network_interfaces.json List of network interfaces
netstats.json List of active network connections
*.txt
Files that will be collected depending on the values of the fields in the
model_CollectionConfig structure
hardware.json Hardware information
trees.json File system structure
Exfiltration
Before the data is sent, it is serialized with msgpack and encrypted with AES-256-GCM (Secret field in embedded_Config).
Figure 35. Example of collected data preparation
Next, after archiving the data, the backdoor sends it with a POST request to a URL generated by appending "/api/collection-result" to the BackendAddress field in embedded_Config.
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 25 of 27

Figure 36. Data exfiltration
It is also possible to update the model_CollectionConfig structure by sending a GET request to a URL generated
by appending "/api/config" to the BackendAddress field in embedded_Config.
\
Figure 37. Configuration update
The model_CollectionConfig structure is a configuration for the collect command and has the following fields:
 
struct model_CollectionConfig
{
 _slice__slice_string Commands;
 _slice_string Files;
 _slice_string TreePaths;
};
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 26 of 27

The fields in the structure have the following purposes:
Field Purpose
Commands bb_files_* command
Files Files
TreePaths Paths
Conclusion
ExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly
adding new tools to its arsenal and improving its techniques. Not only is it developing new attack methods, but it's also
actively improving its existing tools, such as the GoRed backdoor.
ExCobalt is apparently aiming for more sophisticated and productive methods of hacking and cyberespionage, seeing how
GoRed has been acquiring new capabilities and features. These include expanded functionality for collecting victim data
and increased secrecy both inside the infected system and in communications with C2 servers.
In addition, ExCobalt demonstrates flexibility and versatility by supplementing its toolset with modified standard utilities,
which help the group to easily bypass security controls and adapt to changes in protection methods. The use of modified
utilities is a sign that the members of the group have an in-depth understanding of the weaknesses of companies they attack,
while leveraging vulnerabilities helps them to pursue sophisticated attacks on their targets.
Overall, the evolution of ExCobalt and its toolset, including GoRed and the modified utilities, highlights the need for
organizations and cybersecurity professionals to continuously improve detection and protection techniques to combat this
group as well as other similar cyberthreats.
Authors:
Vladislav Lunin, Senior Information Security Threat Researcher, PT ESC
Alexander Badaev, Information Security Threat Researcher, PT ESC
Source: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique
Page 27 of 27