SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sockbot (Back to overview)

Sockbot

Sockbot is a customized and in Go written fork of the Ligolo reverse tunneling open-source
tool. Several modification were performed by the threat actors who rewrote that code, e.g. execution checks, hardcoded values.
Ligolo: https://github.com/sysdream/ligolo

References
2022-08-04YouTube (Security Joes)Ido Naor, Felipe Duarte
@online{naor:20220804:sockbot:c6eedb6, author = {Ido Naor and Felipe Duarte}, title = {{Sockbot In Goland - Linking APT Actors With Ransomware Gangs}}, date = {2022-08-04}, organization = {YouTube (Security Joes)}, url = {https://www.youtube.com/watch?v=CAMnuhg-Qos}, language = {English}, urldate = {2022-08-08} } Sockbot In Goland - Linking APT Actors With Ransomware Gangs
Sockbot
2022-03-09Security JoesFelipe Duarte, Ido Naor
@techreport{duarte:20220309:sockbot:a9095cc, author = {Felipe Duarte and Ido Naor}, title = {{Sockbot in GoLand}}, date = {2022-03-09}, institution = {Security Joes}, url = {https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf}, language = {English}, urldate = {2022-03-10} } Sockbot in GoLand
lsassDumper Sockbot
2022-03-09Bleeping ComputerBill Toulas
@online{toulas:20220309:hackers:c44fb65, author = {Bill Toulas}, title = {{Hackers fork open-source reverse tunneling tool for persistence}}, date = {2022-03-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/}, language = {English}, urldate = {2022-03-10} } Hackers fork open-source reverse tunneling tool for persistence
lsassDumper Sockbot
Yara Rules
[TLP:WHITE] win_sockbot_w0 (20220310 | Detects Go binary Sockbot)
rule win_sockbot_w0 {
	meta:
		author = "Felipe Duarte, Security Joes"
		description = "Detects Go binary Sockbot"
		hash = "7dc13eae4e15869024ec1fd2650e4f8444d53dfa2dd7d302f845cd94289fe5f2"
        malpedia_rule_date = "20220310"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sockbot"
		malpedia_version = "20220310"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$str1 = "main.handleRelay"
		$str2 = "main.verifyTlsCertificate"
		$str3 = "main.FindProcess"
		$str4 = "main.hideConsole"
		$str5 = "main.startSocksProxy"
		$str6 = "main.CreateSchedTask"
		$str7 = "main.relay"
		$str8 = "Connecting to relay server..."
		$str9 = "Could not start SOCKS5 proxy !"
	condition:
		uint16(0) == 0x5A4D 
		and all of them
}
Download all Yara Rules