Posted on March 11, 2023 at 12:00 PM
Hackers target web servers using Golang-based malware
Researchers have discovered a Golang-based malware known as GoBruteforcer. This malware has been detected to be targeting web servers using phpMyAdmin, FTP, MySQL and Postgres to bring devices together in a botnet.
Golang-based malware uses brute-force attacks to breach web servers
The malware in question was uncovered by researchers at Palo Alto Networks Unit 42. The researchers noted that the hackers behind the brute force attacks opted for a classless Inter-Domain Routing block to scan the network as the exploit was ongoing.
“GoBruteforcer chose a classless Inter-Domain Routing (CDIR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range,” the researchers said.
They also added that the threat actor opted to use the CIDR block scanning to access a large number of target hosts running on multiple IP addresses within a network. This approach allowed the hackers to have broader access than they would have if they had used a single IP address as the target host.
The GoBruteforcer has been created in a manner by which it singles out Unix-like platforms that run x86, x64 and ARM infrastructures. This malware attempts to gain access to the target host devices by using a brute force attack. The attack employs several credentials that have been hard-coded within the binary.
If the attacker marks this exploit as successful, an internet relay chat (IRC) bot will be deployed on the victim’s server. The bot helps to create communications with a server that is controlled by the threat actor.
The actor behind the brute force attack also takes advantage of a PHP web shell that has already been installed on the victim’s server. The web shell is leveraged to reveal more details about the network targeted by the threat actors.
“When scanning for MySQL and Postgres services, the GoBruteforcer malware first checks whether the ports 3306 and 5432 are open. If the malware finds the ports open, then the malware tries to ping the host’s database with a certain username and password,” the researchers added.
Additionally, it is also important to note that the exact intrusion vector that was used by the threat actors to deliver the GoBruteforcer and the PHP web shell has yet to be undetermined. The artifacts that are collected by the cybersecurity company also suggest that active development efforts be employed to change the tactics used by the hackers and to avoid detection.
Increased use of Golang-based malware
The findings made by the researchers pertaining to this exploit are another indication of how fast threat actors are using Golang. Threat actors have been using Golang to create cross-platform malware. Additionally, it is important to note that the multi-scan capability of the GoBruteforcer allows the malware to reach a wide range of targets, which increases its possibility of wreaking havoc on the target hosts.
Unit 42 added that threat actors have over the years, been targeting web servers because they serve as the ideal entry point for exploits. Additionally, the team has also warned web users against using weak passwords because they increase the possibility of a threat.
They noted that web servers are usually a weak point for any organization. Any form of malware including GoBruteforcer can take advantage of passwords that are weak. The malware can also exploit the passwords that have been created by default. Thereby, installing strong passwords is important for every organization because it will ensure that hackers cannot gain entry to these systems.
The researchers also noted that the GoBruteforcer has immense capabilities that could increase the level of threat posed. The GoBruteforcer bot offers multiscan capabilities that allow it to target a wide range of victims. The malware can later be used by hackers to gain entry into a network.
The GoBruteforcer also appears to be under active development. The attackers have the ability to change the techniques they use to target web servers in the near future. Therefore, there could be a significant increase in the number of brute force attacks that are launched in the future against victims. Therefore, organizations need to remain vigilant by deploying strong passwords to protect their systems.
The other strategy that organizations can use to protect their systems is reliable cybersecurity systems that will safeguard networks and ensure that malicious components are not able to access these networks.
Having the right security systems in place will not only block any possible attacks, but it will also ensure that an organization remains proactive and its operations are not affected by any possible attack that might be launched against them.