A newly discovered Golang-based botnet malware scans for and infects web servers running phpMyAdmin, MySQL, FTP, and Postgres services.
According to researchers with Palo Alto Networks' Unit 42, who first spotted it in the wild and dubbed it GoBruteforcer, the malware is compatible with x86, x64, and ARM architectures.
GoBruteforcer will brute force accounts with weak or default passwords to hack into vulnerable *nix devices.
"For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords)," the researchers said.
For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.
Once in, it deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on servers running other targeted services.
In the next phase of the attack, GoBruteforcer will reach out to its command-and-control server and wait for instructions that will be delivered via the previously installed IRC bot or web shell.
GoBruteforcer attack flow (Unit 42)
The botnet uses a multiscan module to find potential victims within a Classless Inter-Domain Routing (CIDR), granting it a broad selection of targets to infiltrate networks.
Before scanning for IP addresses to attack, GoBruteforcer chooses a CIDR block and will target all IP addresses within that range.
Rather than targeting a single IP, the malware uses CIDR block scanning for access to a diverse range of hosts on various IP addresses, increasing the reach of the attack.
GoBruteforcer is likely under acti ..
Support the originator by clicking the read the rest link below.
