430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Cryptomining Campaign involves Golang malware to target Linux servers

Experts at F5 Networks discovered a cryptomining campaign that is delivering a new piece of the Golang malware that targets Linux-based servers. F5 experts uncovered a cryptominer campaign that is delivering a new strain of Golang malware that targets Linux-based servers. The campaign began around June 10 and already infected several thousand machines. The malicious […]

Golang malware

Experts at F5 Networks discovered a cryptomining campaign that is delivering a new piece of the Golang malware that targets Linux-based servers.

F5 experts uncovered a cryptominer campaign that is delivering a new strain of Golang malware that targets Linux-based servers.

The campaign began around June 10 and already infected several thousand machines. The malicious code is hosted on an already compromised Chinese online store, threat actors use the service Pastebin to host the spearhead bash script.

Golang malware

“F5 researchers uncovered a cryptominer campaign delivering new Golang malware that targets Linux-based servers.” reads the analysis published by F5.

“The malware campaign propagates using 7 different methods: 4 web application exploits (2 targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), SSH credentials enumeration, Redis database passwords enumeration, and also trying to connect other machines using found SSH keys.”

Attackers leverage well-known flaws to compromise target systems, including security issues in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and the popular Drupalgeddon vulnerability (CVE-2018-7600).

Attackers also use SSH credentials enumeration, Redis database passwords enumeration, and try to connect other machines using found SSH keys.

The malware is written in the Go programming language developed by Google, earlier this year Cybaze-Yoroi ZLab experts analyzed another GoLang botnet named GoBrut.

In the attacks aimed at Redis databases, the malicious code first attempts to connect to the default port without credentials, then tries to access using seven common passwords (admin, redis, root, 123456, password, user, and test).

When attempting to access SSH ports, the malware attempts to enumerate four usernames (root, admins, user, and test) and tries each with seven passwords (admins, root, test (appears twice), user, 123456, and password).

“The final propagation method is not done by the Go binary itself but another shell script which will be discussed in the next section. The script looks for existing known hosts in the SSH directory and then tries to connect to those machines over SSH and infect them, as well. ” continues the report.

When the malware compromises a system it downloads a bash script from pastebin.com and fetches several archives, one of them contains the Go malware. Downloaded files are saved to a hidden /tmp/.mysqli directory to prevent removal and mislead users.

One of the scripts extracted from the binary attempts to disable several security controls on the infected system, including SELinux.

The threat achieves persistence through a new crontab set up to download the bash script every 15 minutes. The script sets the Go malware as a service and search for competitors’ process running from the /tmp directory and kills them.

The archives downloaded by the malware includes the main Go malware along with a Monero miner.

“The malware is mining XMR using the cryptonight algorithm and submits hashes to several public pools. At the time of this writing, this operation had earned the attacker less than $2,000 USD. However, this information is based only on the wallets our specific miners were using. It could be that the attacker has several wallets used by different parts of his botnet. ” wrote the experts.

The malicious file was downloaded over 12,000 times from Pastebin, a data that could give us an idea of the dimension of the botnet.

“It is clear that Go, although still used mostly by legitimate developers is also “Go-ing” to the dark side. Golang malware is starting to emerge on the threat landscape. Although this sample is not the most sophisticated piece of malware analyzed by F5 researchers, it has several unique qualities which make it notable.” conclude the experts.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Golang malware, cryptominer)

[adrotate banner=”5″]

[adrotate banner=”13″]