13 March 2023

New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers


New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP and Postgres servers

Researchers at Palo Alto Networks’s Unit 42 have discovered a new Go-based malware strain that is being used to attack web servers running phpMyAdmin, MySQL, FTP and Postgres service.

Dubbed “GoBruteforcer,” the malware uses brute-force techniques to compromise servers and ensnare them into a botnet. The malware is compatible with x86, x64, and ARM architectures.

“For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords),” according to Unit 42’s report.

The researchers were not able to identify the initial vector of the GoBruteforcer and the PHP web shell campaign. They believe that GoBruteforcer is still under active development meaning that initial infection vectors or payloads could change in the near future.

For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.

“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target,” the research ream explains.

Once the target server is compromised, GoBruteforcer deploys an IRC bot containing the attacker’s URL and attempts to query the victim system using a PHP web shell already deployed on the server.

“Web servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization,” the researchers said. “Malware like GoBruteforcer takes advantage of weak (or default) passwords. The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network.”

Back to the list

Latest Posts

Cyber security week in review: March 24, 2023

Cyber security week in review: March 24, 2023

The world in brief: BreachForums data breach site shut down, Bitcoin ATM maker General Bytes suffers a $1.5M hack, and more.
24 March 2023
Lionsgate streaming platform exposed data of 37M users

Lionsgate streaming platform exposed data of 37M users

Researchers discovered an unprotected ElasticSearch instance that contained about 20GB of data.
23 March 2023
New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

The technique involves the use of inaudible sounds embedded in regular audio and video files to send malicious commands.
22 March 2023