• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 

United Natural Foods Expects $400M revenue impact from June cyber attack

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Malware
  • Cybaze-Yoroi ZLab analyze GoBrut: A new GoLang Botnet

Cybaze-Yoroi ZLab analyze GoBrut: A new GoLang Botnet

Pierluigi Paganini March 01, 2019

Cybaze-Yoroi ZLab analyze a new GoLang botnet named GoBrut, the investigation allowed to discover that the bot supports a lot more features

Introduction

Malware written in Go programming language has roots almost a decade ago, few years after its first public release back in 2009: starting from InfoStealer samples discovered since 2012 and abused in cyber-criminal campaigns, to modern cyber arsenal like the Sofacy one. Times ago it was considered an exotic way to code a malware, nowadays it became something more common most of the CSIRTs encountered at least once in their lifetime.

In the last month, a particular sample circulated within InfoSec community: it was written in GoLang and showed an interesting behavior, along with unusual binary patterns, for this reason, Cybaze-Yoroi ZLab decided to deepen the investigation.

Technical Analysis

GoLang programs compilation generates binaries embedding all the required dependencies, it is one of the principal advantages of this programming language because it avoids the need of installed runtimes within the machine, like the Java Runtime or specific .NET version, simplifying the multi-platform support of the Go applications. One of the main characteristic of the Go compiled binaries is the inclusion of the “Go build ID” field into the PE header. 

Hash94e119d88ff59d33d3c6fe6c346eba274d5fcc971771ec94b86657a0c2217a2d
ThreatGoBrut
SSDeep49152:6+UqQHrw3ygz94d8zgJqatzrYY2o6Kd3xlIUyCo061UlMX:qrwnz6e8l9rUo6KdiJX

The analyzed samples contains this particular field confirming the malware has been written in Go language, despite the lack of signature match running PE identification tools.

Figure 1: Go Build ID signature

Navigating the assembly we were able to isolate some interesting chunks of code revealing the malicious capabilities of the sample. We detected an inner routine granting the infection persistence after the system reboot, by running the following batch utility script to install a self-copy into the user startup folder (“AutorunDropper” function).

@echo off
if not exist “C:/Users/admin/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup\svchostphb.exe” copy /Y “C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostphb.exe” “C:/Users/admin/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/svchostphb.exe”

Also, an interesting reference have been found within the RDATA section of this PE binary: a reference to a so called “TryLogin” and “StartBrut” routine, suggesting some kind of offensive capabilities, subsequently described in “The BruteForce Module” section.

Figure  2: References to source code functions in RDATA section

Another interesting finding during the static analysis of the sample is a specific url value, hardcoded into the binary itself. The remote destination points an netherland Provider, ISPIRIA Networks Ltd, hosting the command and control server of the botnet.

Figure 3: Command and Control communication routine

Dynamically running the malware, it starts a series of http requests aimed to register the bot to the discovered server. The GET request parameters contains  the “phpadmin” value in a quite interesting “worker” field, clear reference of the notorious “PhpMyAdmin” database administration tool, widely deployed across the internet and too many times unnecessarily exposed to the internet.

Figure 4: Bot’s registration on the C2

After the check-in, the bot queries a JSON object resembling a sort of bag of tasks, where the C2 instructs it to try a huge amount of logins on the retrieved web pages.

Figure 5: Response of C2 with the JSON file containing the targets

The BruteForce Module

The core of the bot is the bruteforce module: it has the task to try to login into target services using credentials retrieved from the C2 server, as described in the previous section.

Figure 6: BruteForce module function flow

The routine named “StartBrut” has the purpose to prepare the credentials retrieved from the C2, then subroutine “TryLogin” connects to the target host, tries to authenticate using provided credentials and waits for the server response. During these days the botnet was running a campaign leveraging its “phpadmin” module, resulting in attacks to thousand of PhpMyAdmin installation all over the internet.

Figure 7: Login attempts of the “phpadmin” module

At this point, we decided to collect the list of targets under the botnet attack and, at time of writing, we identified 40k unique destinations potentially under attack. The distribution of the Top Level Domains shows half of the targets are the “.com” and “.org” ones, surprisingly followed the by Russian TLD, and other Eastern Europe targets. Central and Southern Europe seems are targeted too but with in a lower portion, currently.

Figure 8 : Distribution of TLD

The “.it” domains in the botnet targets list are about 400, including professional forum such as “avvocati[.it”, e-commerce portals, company websites and also banks such as “bancamacerata[.it”. A wide spectrum of organization, the full list is available in the section “Italian Targets”.

Investigating the Botnet

Digging further into the investigations, we found out this new GoLang bot supports a lot more features, not only for “PhpMyAdmin” one. In fact, we discovered the bot supports 23 functionalities able to target a range of technologies from administrative protocols to CMSes, for instance it is capable to attack SSH logins, FTP sites, exposed MySql service and the two most used CMSes, WordPress and Joomla. Here the list of discovered functionalities:

  • bitrixBrt
  • bitrixChk
  • cp_b
  • cp_chk
  • drupalBrt
  • drupalChk
  • ftp_b
  • ftpChk
  • joomlaBrt
  • joomlaChk
  • magentoBrt
  • magentoChk
  • mysql_b
  • OCartBrt
  • OCartChk
  • php_b
  • php_chk
  • postgres_b
  • ssh_b
  • whm_b
  • whm_chk
  • wpBrt
  • wpChk

The attack campaigns are pretty dynamic and may change quickly over the time, further analysis pointet to a specific command and control API where the botnet master enables or disables running offensive operation through the “/project/active” server location. Thus, the bots is instructed of which are the current active campaigns and technologies to be targeted.

In the end, a recent article by Jérôme Segura reports a piece of the puzzle to complete the plot of this new “GoBot” threat, describing how the bot has been linked to a JavaScript skimmer installation campaign afflicted several web portals in the wild. The piece of javascript code embedded after the abusive access was able to steal sensitive information such as credentials and credit card numbers (PAN), to every user visiting the compromised site. This attack techniques is extremely dangerous and lead to massive data leak for organizations, as observed back in 2018, when the MageCart group hacked the British Airways infrastructure to install JavaScript skimmers.

Conclusion

The usage of emergent, uncommon, languages and technologies for malware writing is a weapon can be leverage by the attackers to defeat traditional anti-virus based security controls: compilation patterns and artifacts may evade static signature and general heuristics detection. For this reason the security perimeter must include appropriate analysis capabilities to detect and handle this kind of threats.

Also, this new “GoBrut” botnet provides a precious insight of the kind of threat insecure logins and unnecessary exposure are subject to. Showing how cyber-crime actors are able to run wide international criminal operations aimed to opportunistically penetrate organizations, to abuse its infrastructure and steal users logins and sensitive data.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/gobrut-a-new-golang-botnet/

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – GoBrut, GoLang)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

golang Hacking Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 22, 2025
SharePoint under fire: new ToolShell attacks target enterprises
Read more
Pierluigi Paganini July 22, 2025
CrushFTP zero-day actively exploited at least since July 18
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

    APT / July 21, 2025

    U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

    Hacking / July 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT