At the end of November 2022, researchers detected an incident where a malicious sample from an unknown family exploited the Vacron NVR RCE vulnerability to spread. After a detailed analysis, researchers concluded that this series of samples does not belong to known malicious families. The malicious sample will print the string "GoBot" when it runs, and refer to the author's output "@redbot on top" on his property website.

GoBot is a new family of malicious applications written in Go. It uses the new Go language to prevent detection and analysis by antivirus software, improve performance and increase the flexibility of malicious attacks. It is mainly distributed via the Vacron NVR RCE vulnerability and exploits similar vulnerabilities on other devices to spread.

In this bug, there are many ways to trigger it: an attacker could send a specially crafted packet to trigger an out-of-bounds read or writes an invalid memory address with a modified packet size.

The initial variant of GoBot was released in February 2013. A major update was released in August 2014, and another major update was released in January 2017, which includes 3 new variants: GoBot.SPAWN, GoBot.3219_SURF and GoBot.3497_WASTE.

‍

Source: RedGoBot - DDoS botnet written in the new Go language - AlienVault - Open Threat Exchange