Linux/Goober.REAL!tr
Analysis
Linux/Goober.REAL!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Linux/Goober.REAL!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is associated with the Realtek SDK outbreak and involves the CVE-2022-30525, CVE-2021-22205 and CVE-2021-35394 vulnerability.
- Linux/Goober.REAL!tr is a DDos botnet. It will attempt to gain access to a victim's system and wait for commands from the control server. The malware may perform malicious actions such as a distributed denial-of-service(DDoS) attacks.
- The CVE identifiers included in this detection are:
- CVE-2022-30525:
- vulnerability affecting the firmware that enables file modification using OS commands.
- CVE-2021-22205:
- vulnerability affecting the GitLab CE/EE updates resulting in remote command execution.
- CVE-2021-35394:
- vulnerability affecting the Realtek Jungle SDK version v2.x to v3.4.14B leading to memory corruption and arbitrary command injection.
- CVE-2022-30525:
- The following are some IP's the botnet may attempt to connect to :
- 79.13.[removed].177
- This malware has been associated with the following third party article/advisory.
https://nvd.nist.gov/vuln/detail/CVE-2022-30525 https://nvd.nist.gov/vuln/detail/CVE-2021-22205 https://nvd.nist.gov/vuln/detail/CVE-2021-35394
|
- Md5: b360fa11aef049d8ae4ec4549c27f8ef
Sha256: 51ad00f88bbbef8491cbc209c1739eda406750630939e5c38d4a9ec6b9032c8a - Md5: c17608e6e32d0764e1b2b5b1e8393b26
Sha256: ad0c13bb133e2c6a91290f046d9080dfcf14e6c0641bb86a091b1a9cdc13f6b2 - Md5: c5d7b0c26a272534bdce75257214093a
Sha256: a7477fae65f405d7fbb7a36346b9b4ebc21d44f16b646354545761b9c2663447 - Md5: 08e110aad0bf09c2cdd64b0df0733b25
Sha256: c09c356e1e073c0c641d5740c53ed2c01a9974caa6db1e9e5a085cf15597cbe3 - Md5: ff3dd951f62d20ecc66450f8bb783f0d
Sha256: 63b0de8f12be025756b23f665d98eaa6db8aab7a56b89ac2af5b94bff81a8d1f
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |