13 March 2023

New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers


New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers

Researchers at Palo Alto Networks’s Unit 42 have discovered a new Go-based malware strain that is being used to attack web servers running phpMyAdmin, MySQL, FTP and Postgres service.

Dubbed “GoBruteforcer,” the malware uses brute-force techniques to compromise servers and ensnare them into a botnet. The malware is compatible with x86, x64, and ARM architectures.

“For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords),” according to Unit 42’s report.

The researchers were not able to identify the initial vector of the GoBruteforcer and the PHP web shell campaign. They believe that GoBruteforcer is still under active development meaning that initial infection vectors or payloads could change in the near future.

For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.

“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target,” the research ream explains.

Once the target server is compromised, GoBruteforcer deploys an IRC bot containing the attacker’s URL and attempts to query the victim system using a PHP web shell already deployed on the server.

“Web servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization,” the researchers said. “Malware like GoBruteforcer takes advantage of weak (or default) passwords. The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network.”

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024