The Solar Group reported on a unique virus that had been attacking Russian departments for three years

They added that with the help of this malware, the attackers gained full control over the victims’ infrastructure and the first traces of infection date back to 2020. Now GoblinRAT has been removed from the attacked networks, Solar said.

The virus was first discovered in 2023 during an investigation into an incident at one of the IT companies. Their internal cybersecurity specialists noticed the deletion of system logs on one of the servers and the downloading of a utility to steal account passwords from a domain controller. Employees launched an investigation and hired experts from Solar 4RAYS.

Specialists at the Cyber ​​Threat Research Center discovered malicious code masquerading as a legitimate application process. The parameters of the malicious process did not stand out in any way and the file that started it differed from the legitimate one by a single letter in the name.

A more detailed analysis revealed that GoblinRAT does not have automatic fixing functions: each time, the hackers first studied the characteristics of the target infrastructure (software used and others) and then introduced the virus under the guise of one of the applications that were installed. run on the specific system that is running. attacked.

In total, GoblinRAT was detected in four organizations and in each of them the attackers gained remote access with administrator rights to all network segments. Solar 4RAYS experts found evidence indicating that in at least one of the attacked infrastructures, hackers had that access for three years, with the shortest attack with this virus lasting approximately six months.