Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Georgian CERT Catches Alleged Georbot Operator On Camera

The hacker alleged to be behind the Georbot attack against the country of Georgia has been caught on camera, the nation’s CERT has said. The eventual outing of the accused botmaster was the result of Georgia CERT’s work, where they used his own malware against him.

The hacker alleged to be behind the Georbot attack against the country of Georgia has been caught on camera, the nation’s CERT has said. The eventual outing of the accused botmaster was the result of Georgia CERT’s work, where they used his own malware against him.

In 2008, a string of DDoS attacks targeting Georgian financial and government websites preceded Russian military actions into the country. This led the public and the Georgian government to speculate that Russia has conducted the world’s first act of cyberwar – where physical military actions were coordinated with cyber activities. Four years later, the speculation remains.

Georbot Operator Caught On CameraEarlier this year, SecurityWeek reported on an ESET report (which CERT-Georgia helped draft) that discussed the use of a new type of malware, named Georbot. Georbot is an information stealing Trojan that was being used to target Georgian nationals. After further investigation, ESET researchers were able to gain access to the control panel of the botnet created with this malware, revealing the extent and the intent of this operation.

Amongst other activities, Georbot will try to steal documents and certificates, can create audio and video recordings and browse the local network for information. One unusual aspect is that it will also look for “Remote Desktop Configuration Files” that enables the people receiving these files to connect to the remote machines without using any exploit.

Georgia’s CERT started investigating the attack, and discovered that the malware was targeting specific keyword strings and document types, most related to NGO activities or linked to various government offices. Tracking those behind the attacks was difficult, as the C&C (command and control) servers would rotate soon after being discovered.

The investigation had shown that Georbot was a limited attack, and that it was targeting the nation directly. This is because only 390 systems were infected, and 70% of them were located in their own backyard. The malware itself had the ability to remain hidden from AV, and as it progressed from version 2.1 to 5.5, it was able to infect fully patched systems – suggesting the use of ZeroDay attack vectors.

Additional findings led them to assume that the Russian government was behind Georbot, as one of the sites used to control infected systems belongs to the RBN (Russian Business Network), and another domain linked to the RBN was written directly into the malware itself. Finally, a domain used to send malicious emails spreading Georbot was registered using the address of the FSB (Russia’s Secret Service / previously known as the KGB).

This is when Georgia CERT took matters in a different direction. They used the Georbot malware and infected a lab system. As expected, the attacker uploaded a specially created ZIP file named “Georgian-NATO Agreement” – which itself was another version of Georbot. Once the ZIP was accessed Georgia CERT now had control over the attacker’s system, because he had infected himself.

Tables turned, Georgia CERT was able to capture video of the attacker, and determine his location, ISP, and other identifying information. In addition, they obtained an email attachment where this person was giving instructions to someone on how to use Georbot and infect systems with it.

Advertisement. Scroll to continue reading.

The 27-page report from Georgia CERT is an interesting read, but despite the clever methods used to track the alleged botmaster down, the links to Russia will remain circumstantial. These days, anyone online can claim to be anywhere at anytime. IP addresses and WHOIS records no longer serve as proof positive.

The entire report is available online here

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.