Overview
RedGoBot is a DDoS Botnet family written in the Go programming language, first exposed by QiAnXin Threat Intelligence Center in early December 2022.
By the end of July 2023, our unknown threat monitoring system detected IP address 185.224.128.141 aggressively targeting common Telnet service ports and spreading a DDoS botnet trojan written in the Go programming language. Through our analysis, we identified this as a new variant of the previously exposed RedGoBot, a family we had encountered before.
This variant of the family borrows certain functionalities from Mirai's design, such as creating a dedicated ensureSingleInstance() function to ensure a single instance runs by listening on a local port, and implementing a similar Killer mechanism to terminate specific processes. Compared to the older version, a notable change in this new version is the use of Base64 encoding for all critical strings, which are decoded in real-time during execution. Before propagating the latest variant sample, RedGoBot briefly spread an intermediate version. The core functionality of this intermediate version matches the latest version, except that the internal strings are not Base64 encoded, and it also includes samples for the Windows version.
After an in-depth analysis, we have named this variant as RedGoBot_v2. The recent propagation trend of this Botnet family is as follows:
Updates to Sample Functionality
String Encryption
Key strings in the new version of RedGoBot are encoded in Base64 and are decoded using functions before their utilization during runtime:
Init Function
The init function in Go language is used to initialize bulk-decryption of strings containing whitelist directory or filename information required by the Kill function. Similar to the previous version, this sample attempts to terminate processes of "suspicious competitors":
Persistence
In the older version of RedGoBot, a malicious service was created for achieving persistence. Details of the service are as follows:
However, the new version employs four different methods for achieving persistence:
- Creating a service:
- Modifying the bashrc file to append malicious code at the end of the .bashrc file in the current user's home directory:
- Creating a conf file in the init folder:
- Leveraging the crontab command:
Singleton Execution
Ensuring a single instance through port monitoring, with the corresponding port being 32183:
Propagation Methods
In addition to retaining the Telnet brute-forcing propagation mechanism similar to the old version, the new version has introduced an SSH brute-forcing method. For Telnet services, it targets 7 ports, namely 23/2323/80/5523/2601/2002/1025:
And preparations have been made for 219 sets of weak credentials for Telnet service brute-forcing:
For SSH service brute-forcing, there are 5 targeted SSH service ports: 22/2222/8888/8443/443
Additionally, preparations have been made for 67 sets of weak credentials for SSH service brute-forcing.
Once successful SSH or Telnet service brute-forcing occurs, the compromised host will execute the following malicious commands:
DDoS Attacks
In the new version of RedGoBot, the DDoS attack method is still implemented based on Golang Interface, and the author has wrapped a new attack function called main_getAttack():
Furthermore, this discovered version has introduced multiple new DDoS attack methods compared to the old version. The newly added methods are as follows:
| - | - |
|---|---|
| Name | Description |
| HttpCache_Send | HTTP Flood (Cache) |
| HttpHead_Send | HTTP Flood (Head) |
| IPIP_Send | IP DDoS |
| OVHBypass_Send | OVH DDoS |
| Ssh_Send | SSH DDoS |
Conclusion
From its initial discovery, RedGoBot has been a relatively sophisticated zombie network family. After half a year, the author has started to improve its samples. Similar to the past, rather than immediately conducting large-scale propagation, the author has initiated dissemination after completing the new version of samples, then returning to a state of calm:
Below is the recent propagation trend of another C2 server address for the RedGoBot_v2 version. It can be observed that the author has been conducting propagation tests in recent days:
Based on this analysis and our previous disclosures related to the RedGoBot zombie network, the following conclusions can be drawn:
- The group is highly proficient in writing and operating zombie networks;
- In addition to RedGoBot, the group also possesses several other zombie networks, including RedSocksBot, Mirai, etc;
- The group has also distributed backdoor Trojan files for the Windows platform, not limited to attacking Linux platforms with the spread of zombie network samples. However, the worm-like spreading capability of Windows platform samples is still focused on Linux platform Telnet and SSH services.
IOCs
RedGoBot_v2 C2:
wq.gy
alternatevm.us
194.55.224.36:6002
Mirai C2:
cnc.wq.gy
cnc.hpyq.cc
cnc.biggieboat.cc
Download URL:
hxxp://185.224.128.141/linux/bins.sh
hxxp://194.180.49.171/linux/bins.sh
MD5:
dcecb4260d05460f75efbc8411f85bec
d7025e72a344bffa7475d7145ff60142
21f6c6644eef92015f88ac1105225408
ff2b13413318142ccb8843299e946fc6
39e70806b717bfc670682bb2b5f6d4a6
3588e0aca3d154b080f46420844bb895
b9fea51c6612715d37020c28ba2d10ce
c3869061a13948549261153e4bb8e93a
ac472c260ad65cdd6babfd2ea13a1d96
c5c2d5b4d4a426ea03be2d41c2498732
886bc578a55604a99e2e9a1903b9af7a
ec5ce68f2354acd0fb538347f098cc05
7c3d7aeb50a4619628428626b85782b5
efec7a2bd92e111716580d79614cda64
31fe0e51626ca2cc7ef520c774748d7a
73a1daf7fbe4ab671d621110c4ed4b02
b79fcc89b74ce2dd12b55c3f36c0ddcf
bf2a4ca1b03dc35fcc4595ad3f03a4d2
ba9da2db798a9d0d2cb116d84ece3df2
e188aacfedf07e6ed629dcaf46eadb97
a5ce1f5b5db5e7574b30379ca26d1551
eb575f965d662a93eaf17999e869b227
c0e9817868eed90cd7a97f9147cde5d6
fbef20c6ec117784243dda663f2889ba
f309c9a475969a731578474527fadfcb
b8956fffc8b12b4effc0d528c77a5b77
75b0ca83968e353d1c823b1e77f9d187