New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP, Postgres

A recently discovered Golang-based botnet malware seeks out and infects web servers running phpMyAdmin, MySQL, FTP and Postgres services.

According to researchers at Palo Alto Networks Unit 42, who first detected it and named it GoBruteforcer, the malware is compatible with x86, x64, and ARM architectures.

GoBruteforcer will bruteforce accounts with weak or default passwords to hack vulnerable *nix devices.

“For successful execution, the samples require special conditions on the victim’s system, such as the use of specific arguments and the installation of specific services (with weak passwords),” the researchers said.

For each targeted IP address, the malware starts looking for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port that is accepting connections, it will try to log in with encrypted credentials.

Once inside, it deploys an IRC bot to compromised phpMyAdmin systems or a PHP web shell to servers running other specific services.

In the next phase of the attack, GoBruteforcer will communicate with your command and control server and wait for instructions to be delivered via the previously installed IRC bot or web shell.

Gobruteforcer attack flow
GoBruteforcer Attack Flow (Unit 42)

The botnet uses a multi-scanning module to find potential victims within classless inter-domain routing (CIDR), giving it a wide selection of targets to infiltrate networks.

Before scanning for IP addresses to attack, GoBruteforcer chooses a CIDR block and will target all IP addresses within that range.

Instead of targeting a single IP, the malware uses CIDR block scanning to access a wide range of hosts on multiple IP addresses, increasing the scope of the attack.

GoBruteforcer is likely in active development, and its operators are expected to adapt their tactics and malware capabilities to target web servers and stay ahead of security defenses.

“We have seen this malware remotely deploy a variety of different types of malware as payloads, including coin miners,” Unit42 added.

“We believe that GoBruteforcer is in active development and as such things like initial infection vectors or payloads could change in the near future.”

Source link

James D. Brown
James D. Brown
Articles: 9347