New GoBruteforcer Malware Attacks Web Servers

GoBruteforcer attacks web servers
Written by William Reddy

A new GoBruteforcer malware has been discovered, which is written in Go and which attacks web servers running phpMyAdmin, MySQL, FTP, and Postgres.

Let me remind you that we also wrote that Botnet KmsdBot Attacks Gaming Companies and Luxury Car Manufacturers, and also that Cloud9 Botnet Attacks Chrome with Malicious Extensions.

PHP web shells were found on infected machines, which provide attackers with the ability to create reverse shells and bind shells.

Palo Alto Networks experts report that the malware is mainly focused on Unix systems and platforms with x86, x64 and ARM architectures. GoBruteforcer attempts to bruteforce the targets using a list of hardcoded credentials.

GoBruteforcer attacks web servers
Overall scheme of the attack

GoBruteforcer selects a CIDR (Classless Inter-Domain Routing) block to scan the network during attacks and targets all IP addresses within this range. Attackers have chosen to scan CIDR blocks as a way to gain access to a wide range of target hosts on different IP addresses, instead of using a single IP address as a target.the researchers write.

Analysts believe that GoBruteforcer is still in development. The malware is packaged with UPX and has a multi-scan module that is used to detect open ports for targeted services. Once the port is identified, the malware uses the hardcoded credentials and proceeds to brute force.

Let me remind you that the media also wrote that Mining botnet Vollgar bruteforced Microsoft SQL servers for two years.

So, for phpMyAdmin, the malware looks for an open port 80, for MySQL and Postgres, ports 3306 and 5432 are checked, and then GoBruteforcer pings the host database using certain credentials. For FTP, the malware checks for open port 21 and then tries to authenticate with Goftp.

If the attack succeeds, an IRC bot is deployed on the compromised server, through which a connection is established with the hackers’ server. GoBruteforcer then uses the PHP web shell installed on the victim’s server to obtain more detailed information about the target network.

GoBruteforcer attacks web servers
GoBruteforcer on a hacked server

The exact vector used to deliver both the GoBruteforcer itself and the web shell has not yet been determined. The evidence collected by the researchers suggests that GoBruteforcer operators put a lot of effort to avoid detection.

Web servers have always been attractive targets for attackers. Weak passwords can pose serious risks, as web servers are an integral part of almost any organization. Malicious software such as GoBruteforcer exploits weak and default passwords.experts conclude.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment