Linux/Goober.REAL!tr

description-logoAnalysis

Linux/Goober.REAL!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Linux/Goober.REAL!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is associated with the Realtek SDK outbreak and involves the CVE-2022-30525, CVE-2021-22205 and CVE-2021-35394 vulnerability.

  • Linux/Goober.REAL!tr is a DDos botnet. It will attempt to gain access to a victim's system and wait for commands from the control server. The malware may perform malicious actions such as a distributed denial-of-service(DDoS) attacks.

  • The CVE identifiers included in this detection are:
    • CVE-2022-30525:
      • vulnerability affecting the firmware that enables file modification using OS commands.
    • CVE-2021-22205:
      • vulnerability affecting the GitLab CE/EE updates resulting in remote command execution.
    • CVE-2021-35394:
      • vulnerability affecting the Realtek Jungle SDK version v2.x to v3.4.14B leading to memory corruption and arbitrary command injection.

  • The following are some IP's the botnet may attempt to connect to :
    • 79.13.[removed].177

  • This malware has been associated with the following third party article/advisory.
  • https://nvd.nist.gov/vuln/detail/CVE-2022-30525
    https://nvd.nist.gov/vuln/detail/CVE-2021-22205
    https://nvd.nist.gov/vuln/detail/CVE-2021-35394
    

  • Below are some of the malware's capabilities:

    • Figure 1: Attempts to download malicious payload.

  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: b360fa11aef049d8ae4ec4549c27f8ef
      Sha256: 51ad00f88bbbef8491cbc209c1739eda406750630939e5c38d4a9ec6b9032c8a
    • Md5: c17608e6e32d0764e1b2b5b1e8393b26
      Sha256: ad0c13bb133e2c6a91290f046d9080dfcf14e6c0641bb86a091b1a9cdc13f6b2
    • Md5: c5d7b0c26a272534bdce75257214093a
      Sha256: a7477fae65f405d7fbb7a36346b9b4ebc21d44f16b646354545761b9c2663447
    • Md5: 08e110aad0bf09c2cdd64b0df0733b25
      Sha256: c09c356e1e073c0c641d5740c53ed2c01a9974caa6db1e9e5a085cf15597cbe3
    • Md5: ff3dd951f62d20ecc66450f8bb783f0d
      Sha256: 63b0de8f12be025756b23f665d98eaa6db8aab7a56b89ac2af5b94bff81a8d1f

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-03-22 91.01665
2023-03-21 91.01634
2023-03-21 91.01631