Researchers at Palo Alto Networks’s Unit 42 have discovered a new Go-based malware strain that is being used to attack web servers running phpMyAdmin, MySQL, FTP and Postgres service.
Dubbed “GoBruteforcer,” the malware uses brute-force techniques to compromise servers and ensnare them into a botnet. The malware is compatible with x86, x64, and ARM architectures.
“For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords),” according to Unit 42’s report.
The researchers were not able to identify the initial vector of the GoBruteforcer and the PHP web shell campaign. They believe that GoBruteforcer is still under active development meaning that initial infection vectors or payloads could change in the near future.
For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.
“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target,” the research ream explains.
Once the target server is compromised, GoBruteforcer deploys an IRC bot containing the attacker’s URL and attempts to query the victim system using a PHP web shell already deployed on the server.
“Web servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization,” the researchers said. “Malware like GoBruteforcer takes advantage of weak (or default) passwords. The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network.”
