13 March 2023

New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers


New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers

Researchers at Palo Alto Networks’s Unit 42 have discovered a new Go-based malware strain that is being used to attack web servers running phpMyAdmin, MySQL, FTP and Postgres service.

Dubbed “GoBruteforcer,” the malware uses brute-force techniques to compromise servers and ensnare them into a botnet. The malware is compatible with x86, x64, and ARM architectures.

“For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords),” according to Unit 42’s report.

The researchers were not able to identify the initial vector of the GoBruteforcer and the PHP web shell campaign. They believe that GoBruteforcer is still under active development meaning that initial infection vectors or payloads could change in the near future.

For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.

“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target,” the research ream explains.

Once the target server is compromised, GoBruteforcer deploys an IRC bot containing the attacker’s URL and attempts to query the victim system using a PHP web shell already deployed on the server.

“Web servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization,” the researchers said. “Malware like GoBruteforcer takes advantage of weak (or default) passwords. The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network.”

Back to the list

Latest Posts

Cyber Security Week in Review: October 4, 2024

Cyber Security Week in Review: October 4, 2024

In brief: the US disrupts FSB-linked ColdRiver hackers’ operations, Lockbit and EvilCorp members arrested, and more.
4 October 2024
Critical Ivanti EPM RCE flaw exploited in the wild

Critical Ivanti EPM RCE flaw exploited in the wild

The flaw is an SQL Injection issue that allows a remote attacker to execute arbitrary SQL queries in database.
3 October 2024
New China-aligned threat actor CeranaKeeper steals data from Southeast Asian entities

New China-aligned threat actor CeranaKeeper steals data from Southeast Asian entities

CeranaKeeper is notable for its evolving backdoor techniques, which allow it to evade detection and facilitate extensive data theft.
3 October 2024
Popular Posts
Featured vulnerabilities
Denial of service in Unbound
Medium Patched | 05 Oct, 2024
Privilege escalation in oath-toolkit
Low Patched | 05 Oct, 2024
Privilege escalation in Authd PAM module
Medium Patched | 05 Oct, 2024
Multiple vulnerabilities in Apple iOS 18 and iPadOS 18
Low Patched | 05 Oct, 2024
Multiple vulnerabilities in Microsoft Edge
High Patched | 05 Oct, 2024