The submitted samples were identified as GoBackClient, a cross-platform backdoor written in Golang, which was first observed in mid-2022. Several samples have been observed using the Quixotic and Quicksand parsers which are commonly linked to malware used by the Qakbot Group. In late 2022, BitDefender observed GoBackClient being deployed in attacks using the ProxyNotShell exploit chains. Both Windows and Linux versions of the malware have been identified.Upon execution GoBackClient collects basic system information and can beacon to and respond to commands from its C2. It may also optionally install itself as a service for persistence. GoBackClient’s primary capabilities include creating a SOCKS proxy using the Chisel library for network tunnelling, running a file manager, and starting a reverse shell. The reverse shell functionality provides a range of additional commands and capabilities including beacon install, persistence, and management; file upload and download; installation and management of plugins; and the installation of the AnyDesk software for remote access.GoBackClient also uses a domain generation algorithm (DGA) to generate additional C2 server domains, if its configured C2 address is unavailable.Threat TypeMalware
Sample Indicators of Compromise:
94.131.101.16237.1.212.909dbb19e57ecd87edc102abc12bbafc1be5af2ac44cd2a30b8e8c3340b6816c0e144.172.122.14
