A new GoBruteforcer malware has been discovered, which is written in Go and which attacks web servers running phpMyAdmin, MySQL, FTP, and Postgres.
Let me remind you that we also wrote that Botnet KmsdBot Attacks Gaming Companies and Luxury Car Manufacturers, and also that Cloud9 Botnet Attacks Chrome with Malicious Extensions.
PHP web shells were found on infected machines, which provide attackers with the ability to create reverse shells and bind shells.
Palo Alto Networks experts report that the malware is mainly focused on Unix systems and platforms with x86, x64 and ARM architectures. GoBruteforcer attempts to bruteforce the targets using a list of hardcoded credentials.
Overall scheme of the attack
Analysts believe that GoBruteforcer is still in development. The malware is packaged with UPX and has a multi-scan module that is used to detect open ports for targeted services. Once the port is identified, the malware uses the hardcoded credentials and proceeds to brute force.
Let me remind you that the media also wrote that Mining botnet Vollgar bruteforced Microsoft SQL servers for two years.
So, for phpMyAdmin, the malware looks for an open port 80, for MySQL and Postgres, ports 3306 and 5432 are checked, and then GoBruteforcer pings the host database using certain credentials. For FTP, the malware checks for open port 21 and then tries to authenticate with Goftp.
If the attack succeeds, an IRC bot is deployed on the compromised server, through which a connection is established with the hackers’ server. GoBruteforcer then uses the PHP web shell installed on the victim’s server to obtain more detailed information about the target network.
GoBruteforcer on a hacked server
The exact vector used to deliver both the GoBruteforcer itself and the web shell has not yet been determined. The evidence collected by the researchers suggests that GoBruteforcer operators put a lot of effort to avoid detection.
