Bulbature, beneath the waves of GobRAT

SUMMARY :

This report examines an infrastructure used to control compromised edge devices transformed into Operational Relay Boxes for launching cyber attacks. The infrastructure, consisting of 63 identified servers, uses GobRAT and Bulbature malware to compromise devices and create a botnet. Features include automated exploitation, DDoS capabilities, and proxy creation. Evidence points to Chinese origin, with targeting focused on North America. The botnet comprised nearly 75,000 compromised devices as of July 2023, primarily Linux routers with ARM architecture. The sophisticated obfuscation and constant evolution of the malware since 2022 demonstrate the operators' intent to conceal their activities and maintain long-term access.

OPENCTI LABELS :

china,botnet,ddos,proxy,gobrat,orb,edge devices,bulbature


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Bulbature, beneath the waves of GobRAT