A new Golang-based malware called Go Brute Forcer It has been known to target web servers running phpMyAdmin, MySQL, FTP, and Postgres to enclose the device in a botnet.
“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block to scan the network during the attack and targeted all IP addresses within that CIDR range,” said Palo Alto Networks Unit 42 researchers. said.
“Instead of using a single IP address as a target, attackers chose CIDR block scanning as a way to reach a wide range of target hosts on different IPs within the network.”
The malware is primarily designed to identify Unix-like platforms running x86, x64 and ARM architectures, GoBruteforcer uses a list of credentials hard-coded into the binary to brute force Attempts to gain access through attacks.
If the attack is found to be successful, an Internet Relay Chat (IRC) bot is deployed on the victim’s server to establish communication with the attacker-controlled server.
GoBruteforcer also leverages a PHP web shell already installed on the victim’s server to gather details about the victim’s network.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
However, the exact initial intrusion vector used to deliver both GoBruteforcer and the PHP web shell has yet to be determined. Artifacts collected by the cybersecurity firm suggest aggressive development efforts to evolve its tactics and evade detection.
Our findings show that attackers are increasingly adopting Golang to develop cross-platform malware. Additionally, GoBruteforcer’s multi-scanning capabilities allow it to compromise a wide range of targets, making it a powerful threat.
Unit 42 said: “Web servers are such an integral part of an organization that weak passwords can pose a serious threat. Malware like GoBruteforcer takes advantage of weak (or default) passwords.”
