A recently found Golang-based botnet malware searches for and attacks web servers running the phpMyAdmin, MySQL, FTP, and Postgres services.
The malware is effective with x86, x64, and ARM architectures, according to researchers from Palo Alto Networks' Unit 42, who discovered it in the wild and gave it the name GoBruteforcer. In order to break into vulnerable *nix devices, GoBruteforcer will brute force accounts with weak or pre-set credentials.
The samples need specific circumstances, such as the use of particular arguments and the installation of targeted services (with weak passwords), on the victim machine in order to be successfully executed, according to the researchers.
How GoBruteforcer Malware Works?
The malware begins searching for the phpMyAdmin, MySQL, FTP, and Postgres services for each targeted IP address. It will try to log in with hard-coded credentials once it discovers an open port that is accepting connections. Once inside, it launches a PHP web shell on computers hosting other targeted services or an IRC bot on compromised phpMyAdmin systems. GoBruteforcer will connect to its command-and-control server in the subsequent part of the attack and wait for commands to be sent by the previously installed IRC bot or web shell.
GoBruteforcer attack flow (Unit 42)
The botnet has a wide range of targets to infiltrate networks because it uses a multiscan module to identify potential victims within a Classless Inter-Domain Routing (CIDR). GoBruteforcer selects a CIDR block and will target all IP addresses within that region before searching for IP addresses to attack.
The malware expands the scope of the attack by using CIDR block scanning to gain access to a wide variety of hosts on different IP addresses rather than focusing on a single IP address. GoBruteforcer is probably still in active development, and its developers anticipate that its users will modify their strategies and the malware's capacity to target websites while evading security measures.
Unit42 continued, "We've seen this malware remotely deploy a variety of various kinds of malware as payloads, including coinminers. We think GoBruteforcer is still under development, so initial infection vectors or payloads might alter in the near future."
Please do not enter any spam link in the comment box.