Malware

Cryptomining Campaign involves Golang malware to target Linux servers

Experts at F5 Networks discovered a cryptomining campaign that is delivering a new piece of the Golang malware that targets Linux-based servers.

F5 experts uncovered a cryptominer campaign that is delivering a new strain of Golang malware that targets Linux-based servers.

The campaign began around June 10 and already infected several thousand machines. The malicious code is hosted on an already compromised Chinese online store, threat actors use the service Pastebin to host the spearhead bash script.

“F5 researchers uncovered a cryptominer campaign delivering new Golang malware that targets Linux-based servers.” reads the analysis published by F5.

“The malware campaign propagates using 7 different methods: 4 web application exploits (2 targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), SSH credentials enumeration, Redis database passwords enumeration, and also trying to connect other machines using found SSH keys.”

Attackers leverage well-known flaws to compromise target systems, including security issues in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and the popular Drupalgeddon vulnerability (CVE-2018-7600).

Attackers also use SSH credentials enumeration, Redis database passwords enumeration, and try to connect other machines using found SSH keys.

The malware is written in the Go programming language developed by Google, earlier this year Cybaze-Yoroi ZLab experts analyzed another GoLang botnet named GoBrut.

In the attacks aimed at Redis databases, the malicious code first attempts to connect to the default port without credentials, then tries to access using seven common passwords (admin, redis, root, 123456, password, user, and test).

When attempting to access SSH ports, the malware attempts to enumerate four usernames (root, admins, user, and test) and tries each with seven passwords (admins, root, test (appears twice), user, 123456, and password).

“The final propagation method is not done by the Go binary itself but another shell script which will be discussed in the next section. The script looks for existing known hosts in the SSH directory and then tries to connect to those machines over SSH and infect them, as well. ” continues the report.

When the malware compromises a system it downloads a bash script from pastebin.com and fetches several archives, one of them contains the Go malware. Downloaded files are saved to a hidden /tmp/.mysqli directory to prevent removal and mislead users.

One of the scripts extracted from the binary attempts to disable several security controls on the infected system, including SELinux.

The threat achieves persistence through a new crontab set up to download the bash script every 15 minutes. The script sets the Go malware as a service and search for competitors’ process running from the /tmp directory and kills them.

The archives downloaded by the malware includes the main Go malware along with a Monero miner.

“The malware is mining XMR using the cryptonight algorithm and submits hashes to several public pools. At the time of this writing, this operation had earned the attacker less than $2,000 USD. However, this information is based only on the wallets our specific miners were using. It could be that the attacker has several wallets used by different parts of his botnet. ” wrote the experts.

The malicious file was downloaded over 12,000 times from Pastebin, a data that could give us an idea of the dimension of the botnet.

“It is clear that Go, although still used mostly by legitimate developers is also “Go-ing” to the dark side. Golang malware is starting to emerge on the threat landscape. Although this sample is not the most sophisticated piece of malware analyzed by F5 researchers, it has several unique qualities which make it notable.” conclude the experts.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Golang malware, cryptominer)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

3 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

14 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

18 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

24 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.