Recently discovered Golang-based botnet malware searches and infects web servers running phpMyAdmin, MySQL, FTP and Postgres services.

According to Palo Alto Networks Unit 42 researchers, who first spotted it in the wild and dubbed it GoBruteforcer, the malware is compatible with x86, x64 and ARM architectures.

GoBruteforcer will brute force accounts with weak or default passwords to hack into vulnerable *nix devices.

“For successful execution, the samples require special conditions on the victim system, such as specific arguments used and targeted services already installed (with weak passwords),” the researchers said. said.

For each targeted IP address, the malware starts searching for phpMyAdmin, MySQL, FTP and Postgres services. After detecting an open port accepting connections, it will attempt to connect using hard-coded credentials.

Once inside, it deploys an IRC bot to compromised phpMyAdmin systems or a PHP web shell to servers running other targeted services.

In the next phase of the attack, GoBruteforcer will contact its command and control server and wait for the instructions which will be delivered via the previously installed IRC bot or web shell.

Gobruteforcer Attack Flow
GoBruteforcer Attack Flow (Unit 42)

The botnet uses a multiscan module to find potential victims within classless inter-domain routing (CIDR), granting it a wide selection of targets to infiltrate networks.

Before looking for IP addresses to attack, GoBruteforcer chooses a CIDR block and will target all IP addresses in that range.

Rather than targeting a single IP address, the malware uses CIDR block analysis to access a diverse range of hosts on different IP addresses, increasing the scope of the attack.

GoBruteforcer is likely under active development, with its operators needing to adapt their tactics and the malware’s capabilities to target web servers and stay ahead of security defenses.

“We’ve seen this malware remotely deploy a variety of different types of malware as payloads, including coin miners,” Unit42 added.

“We believe GoBruteforcer is in active development and as such things such as initial infection vectors or payloads may change in the near future.”


Source link