Palo Alto’s Unit 42 discovers new GoBruteforcer malware
Palo Alto Networks’ Unit42 researchers have discovered a new GoBruteforcer malware that targets phpMyAdmin, MySQL, FTP, and Postgres. The newly discovered Golang-based botnet malware seeks out and infects web servers running phpMyAdmin, MySQL, FTP, and Postgres services.
According to the researchers: “For a successful execution, the samples require special conditions in the victim’s system, such as specific arguments being used and targeted services already installed (with weak passwords).”
The malware begins scanning for phpMyAdmin, MySQL, FTP, and Postgres services for each targeted IP address. It will attempt to log in using hard-coded credentials after detecting an open port accepting connections.
When it gains access, it installs an IRC bot on compromised phpMyAdmin systems or a PHP web shell on servers hosting other targeted services. GoBruteforcer will then connect to its command-and-control server and wait for instructions to be delivered via the previously installed IRC bot or web shell.
GoBruteforcer, which appears to be still in development, includes UPX Packer and a multi-scan module for identifying open ports for targeted services. Once a port is identified, it brute-forces the server using hardcoded credentials. It scans for any open port 80 for phpMyAdmin services before attempting to deploy the IRC bot for communication.
For MySQL and Postgres services, the malware checks for open ports 3306 and 5432, then pings the host’s database using specific credentials. For FTP services, it checks for open port 21, and then attempts to authenticate using the Goftp library. The GoBruteforcer malware samples are packed with UPX Packer. Upon unpacking a sample (SHA256
ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84). Asides this, the GoBruteforcer has a multiscan module it uses to scan for the hosts inside a CIDR for its attack.
“We’ve seen this malware remotely deploy a variety of different types of malware as payloads, including coinminers. We believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future,” said researchers.
The GoBruteforcer malware hashes mainly targeted Unix-like (*nix) platforms, with versions for x86, x64 and ARM architectures. It seems likely that this is their OS of choice because *nix operating systems are a popular choice for hosting servers. It is believed that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future.
The sources for this piece include an article in BleepingComputer.