Bulbature, beneath the waves of GobRAT
Essential information
- Published
- 04/10/2024 10:11
- Modified
- 04/10/2024 12:41
- Tags
- 2024-10-04 botnet bulbature china ddos edge devices gobrat orb proxy
- Related entities
- 3 vulnerabilities (cve), 120 observables, 25 techniques (mitre), 2 malware, 9 others
Description
This report examines an infrastructure used to control compromised edge devices transformed into Operational Relay Boxes for launching cyber attacks. The infrastructure, consisting of 63 identified servers, uses GobRAT and Bulbature malware to compromise devices and create a botnet. Features include automated exploitation, DDoS capabilities, and proxy creation. Evidence points to Chinese origin, with targeting focused on North America. The botnet comprised nearly 75,000 compromised devices as of July 2023, primarily Linux routers with ARM architecture. The sophisticated obfuscation and constant evolution of the malware since 2022 demonstrate the operators' intent to conceal their activities and maintain long-term access.