Cybaze-Yoroi ZLab analyze GoBrut: A new GoLang Botnet

Pierluigi Paganini March 01, 2019

Cybaze-Yoroi ZLab analyze a new GoLang botnet named GoBrut, the investigation allowed to discover that the bot supports a lot more features

Introduction

Malware written in Go programming language has roots almost a decade ago, few years after its first public release back in 2009: starting from InfoStealer samples discovered since 2012 and abused in cyber-criminal campaigns, to modern cyber arsenal like the Sofacy one. Times ago it was considered an exotic way to code a malware, nowadays it became something more common most of the CSIRTs encountered at least once in their lifetime.

In the last month, a particular sample circulated within InfoSec community: it was written in GoLang and showed an interesting behavior, along with unusual binary patterns, for this reason, Cybaze-Yoroi ZLab decided to deepen the investigation.

Technical Analysis

GoLang programs compilation generates binaries embedding all the required dependencies, it is one of the principal advantages of this programming language because it avoids the need of installed runtimes within the machine, like the Java Runtime or specific .NET version, simplifying the multi-platform support of the Go applications. One of the main characteristic of the Go compiled binaries is the inclusion of the “Go build ID” field into the PE header. 

Hash94e119d88ff59d33d3c6fe6c346eba274d5fcc971771ec94b86657a0c2217a2d
ThreatGoBrut
SSDeep49152:6+UqQHrw3ygz94d8zgJqatzrYY2o6Kd3xlIUyCo061UlMX:qrwnz6e8l9rUo6KdiJX

The analyzed samples contains this particular field confirming the malware has been written in Go language, despite the lack of signature match running PE identification tools.

Figure 1: Go Build ID signature

Navigating the assembly we were able to isolate some interesting chunks of code revealing the malicious capabilities of the sample. We detected an inner routine granting the infection persistence after the system reboot, by running the following batch utility script to install a self-copy into the user startup folder (“AutorunDropper” function).

@echo off
if not exist “C:/Users/admin/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup\svchostphb.exe” copy /Y “C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostphb.exe” “C:/Users/admin/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/svchostphb.exe”

Also, an interesting reference have been found within the RDATA section of this PE binary: a reference to a so called “TryLogin” and “StartBrut” routine, suggesting some kind of offensive capabilities, subsequently described in “The BruteForce Module” section.

Figure  2: References to source code functions in RDATA section

Another interesting finding during the static analysis of the sample is a specific url value, hardcoded into the binary itself. The remote destination points an netherland Provider, ISPIRIA Networks Ltd, hosting the command and control server of the botnet.

Figure 3: Command and Control communication routine

Dynamically running the malware, it starts a series of http requests aimed to register the bot to the discovered server. The GET request parameters contains  the “phpadmin” value in a quite interesting “worker” field, clear reference of the notorious “PhpMyAdmin” database administration tool, widely deployed across the internet and too many times unnecessarily exposed to the internet.

Figure 4: Bot’s registration on the C2

After the check-in, the bot queries a JSON object resembling a sort of bag of tasks, where the C2 instructs it to try a huge amount of logins on the retrieved web pages.

Figure 5: Response of C2 with the JSON file containing the targets

The BruteForce Module

The core of the bot is the bruteforce module: it has the task to try to login into target services using credentials retrieved from the C2 server, as described in the previous section.

Figure 6: BruteForce module function flow

The routine named “StartBrut” has the purpose to prepare the credentials retrieved from the C2, then subroutine “TryLogin” connects to the target host, tries to authenticate using provided credentials and waits for the server response. During these days the botnet was running a campaign leveraging its “phpadmin” module, resulting in attacks to thousand of PhpMyAdmin installation all over the internet.

Figure 7: Login attempts of the “phpadmin” module

At this point, we decided to collect the list of targets under the botnet attack and, at time of writing, we identified 40k unique destinations potentially under attack. The distribution of the Top Level Domains shows half of the targets are the “.com” and “.org” ones, surprisingly followed the by Russian TLD, and other Eastern Europe targets. Central and Southern Europe seems are targeted too but with in a lower portion, currently.

Figure 8 : Distribution of TLD

The “.it” domains in the botnet targets list are about 400, including professional forum such as “avvocati[.it”, e-commerce portals, company websites and also banks such as “bancamacerata[.it”. A wide spectrum of organization, the full list is available in the section “Italian Targets”.

Investigating the Botnet

Digging further into the investigations, we found out this new GoLang bot supports a lot more features, not only for “PhpMyAdmin” one. In fact, we discovered the bot supports 23 functionalities able to target a range of technologies from administrative protocols to CMSes, for instance it is capable to attack SSH logins, FTP sites, exposed MySql service and the two most used CMSes, WordPress and Joomla. Here the list of discovered functionalities:

  • bitrixBrt
  • bitrixChk
  • cp_b
  • cp_chk
  • drupalBrt
  • drupalChk
  • ftp_b
  • ftpChk
  • joomlaBrt
  • joomlaChk
  • magentoBrt
  • magentoChk
  • mysql_b
  • OCartBrt
  • OCartChk
  • php_b
  • php_chk
  • postgres_b
  • ssh_b
  • whm_b
  • whm_chk
  • wpBrt
  • wpChk

The attack campaigns are pretty dynamic and may change quickly over the time, further analysis pointet to a specific command and control API where the botnet master enables or disables running offensive operation through the “/project/active” server location. Thus, the bots is instructed of which are the current active campaigns and technologies to be targeted.

In the end, a recent article by Jérôme Segura reports a piece of the puzzle to complete the plot of this new “GoBot” threat, describing how the bot has been linked to a JavaScript skimmer installation campaign afflicted several web portals in the wild. The piece of javascript code embedded after the abusive access was able to steal sensitive information such as credentials and credit card numbers (PAN), to every user visiting the compromised site. This attack techniques is extremely dangerous and lead to massive data leak for organizations, as observed back in 2018, when the MageCart group hacked the British Airways infrastructure to install JavaScript skimmers.

Conclusion

The usage of emergent, uncommon, languages and technologies for malware writing is a weapon can be leverage by the attackers to defeat traditional anti-virus based security controls: compilation patterns and artifacts may evade static signature and general heuristics detection. For this reason the security perimeter must include appropriate analysis capabilities to detect and handle this kind of threats.

Also, this new “GoBrut” botnet provides a precious insight of the kind of threat insecure logins and unnecessary exposure are subject to. Showing how cyber-crime actors are able to run wide international criminal operations aimed to opportunistically penetrate organizations, to abuse its infrastructure and steal users logins and sensitive data.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/gobrut-a-new-golang-botnet/

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – GoBrut, GoLang)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment