Stealthworker botnet targets Windows and Linux servers

Researchers uncovered a malware campaign that is targeting Windows and Linux servers with a Golang-based malicious code called Stealthworker.

Akamai researchers uncovered a malware campaign spreading a Golang-based malicious code tracked as Stealthworker. The malware targets Windows and Linux servers running popular web services and platforms including (i.e. cPanel / WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostgreSQL, Brixt, SSH, and FTP).

Operators behind the Stealthworker malware use the infected hosts to launch brute force attacks against other systems.

Akamai security researcher Larry Cashdollar discovered the campaign after his honeypot was hit by the malware.

The Stealthworker attackers carry out distributed brute-force attacks against machines exposed online. Each attackers’ infected system performs a limited number of login attempts to bypass limits on the number of login attempts.

Once the malicious code has guessed the admin password, Stealthworker installs and deletes various components.

“Examining the honeypot logs, I determined the attackers had installed the Alternate Lite WordPress theme on the system, and a new binary process was running as the www-user. In addition, there was now a good deal of traffic between my honeypot and the internet.” wrote Larry Cashdollar.

“It isn’t clear if this theme is essential for Stealthworker operations.”

For WordPress installs, the researchers noticed that attackers were installing the WordPress Alternate-Lite theme that contained a PHP file modified to deliver the final malware.

“Once the sequence is complete, the C2 sends the infected system a JSON encoded file that contains a list of targets and logins to attempt. If the infected system is scanning targets, it is assigned the role of wpChk, and will attempt to determine if the target is running WordPress. If the infected system is assigned the wpBrt role, it attempts to brute force the login and compromise the assigned target.” continues the expert.

Experts noticed that even after cleaning a compromised system, the botnet would reinfect it within minutes, the only way to lock out attackers is to wipe the malware and change that passwords.

All the passwords collected from the compromised machines are added into the list of logins that the Stealthworker operators use to compromise other machines.

In order to neutralize this threat, Akamai recommends that admins use strong passwords.

“The malware’s goal is to bypass basic protective measures that  block login attempts after a set number of failures form a single source. Moreover, brute force attacks are resource intensive and noisy.” concludes the report. “By sharing the workload across multiple compromised hosts, the attackers are hoping to gain an advantage and continue to increase their number of compromised platforms.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Stealthworker, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]