Security Experts:

Connect with us

Hi, what are you looking for?



Georgian CERT Catches Alleged Georbot Operator On Camera

The hacker alleged to be behind the Georbot attack against the country of Georgia has been caught on camera, the nation’s CERT has said. The eventual outing of the accused botmaster was the result of Georgia CERT’s work, where they used his own malware against him.

The hacker alleged to be behind the Georbot attack against the country of Georgia has been caught on camera, the nation’s CERT has said. The eventual outing of the accused botmaster was the result of Georgia CERT’s work, where they used his own malware against him.

In 2008, a string of DDoS attacks targeting Georgian financial and government websites preceded Russian military actions into the country. This led the public and the Georgian government to speculate that Russia has conducted the world’s first act of cyberwar – where physical military actions were coordinated with cyber activities. Four years later, the speculation remains.

Georbot Operator Caught On CameraEarlier this year, SecurityWeek reported on an ESET report (which CERT-Georgia helped draft) that discussed the use of a new type of malware, named Georbot. Georbot is an information stealing Trojan that was being used to target Georgian nationals. After further investigation, ESET researchers were able to gain access to the control panel of the botnet created with this malware, revealing the extent and the intent of this operation.

Amongst other activities, Georbot will try to steal documents and certificates, can create audio and video recordings and browse the local network for information. One unusual aspect is that it will also look for “Remote Desktop Configuration Files” that enables the people receiving these files to connect to the remote machines without using any exploit.

Georgia’s CERT started investigating the attack, and discovered that the malware was targeting specific keyword strings and document types, most related to NGO activities or linked to various government offices. Tracking those behind the attacks was difficult, as the C&C (command and control) servers would rotate soon after being discovered.

The investigation had shown that Georbot was a limited attack, and that it was targeting the nation directly. This is because only 390 systems were infected, and 70% of them were located in their own backyard. The malware itself had the ability to remain hidden from AV, and as it progressed from version 2.1 to 5.5, it was able to infect fully patched systems – suggesting the use of ZeroDay attack vectors.

Additional findings led them to assume that the Russian government was behind Georbot, as one of the sites used to control infected systems belongs to the RBN (Russian Business Network), and another domain linked to the RBN was written directly into the malware itself. Finally, a domain used to send malicious emails spreading Georbot was registered using the address of the FSB (Russia’s Secret Service / previously known as the KGB).

This is when Georgia CERT took matters in a different direction. They used the Georbot malware and infected a lab system. As expected, the attacker uploaded a specially created ZIP file named “Georgian-NATO Agreement” – which itself was another version of Georbot. Once the ZIP was accessed Georgia CERT now had control over the attacker’s system, because he had infected himself.

Tables turned, Georgia CERT was able to capture video of the attacker, and determine his location, ISP, and other identifying information. In addition, they obtained an email attachment where this person was giving instructions to someone on how to use Georbot and infect systems with it.

The 27-page report from Georgia CERT is an interesting read, but despite the clever methods used to track the alleged botmaster down, the links to Russia will remain circumstantial. These days, anyone online can claim to be anywhere at anytime. IP addresses and WHOIS records no longer serve as proof positive.

The entire report is available online here

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...