• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Cryptomining Campaign involves Golang malware to target Linux servers

Cryptomining Campaign involves Golang malware to target Linux servers

Pierluigi Paganini July 05, 2019

Experts at F5 Networks discovered a cryptomining campaign that is delivering a new piece of the Golang malware that targets Linux-based servers.

F5 experts uncovered a cryptominer campaign that is delivering a new strain of Golang malware that targets Linux-based servers.

The campaign began around June 10 and already infected several thousand machines. The malicious code is hosted on an already compromised Chinese online store, threat actors use the service Pastebin to host the spearhead bash script.

Golang malware

“F5 researchers uncovered a cryptominer campaign delivering new Golang malware that targets Linux-based servers.” reads the analysis published by F5.

“The malware campaign propagates using 7 different methods: 4 web application exploits (2 targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), SSH credentials enumeration, Redis database passwords enumeration, and also trying to connect other machines using found SSH keys.”

Attackers leverage well-known flaws to compromise target systems, including security issues in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and the popular Drupalgeddon vulnerability (CVE-2018-7600).

Attackers also use SSH credentials enumeration, Redis database passwords enumeration, and try to connect other machines using found SSH keys.

The malware is written in the Go programming language developed by Google, earlier this year Cybaze-Yoroi ZLab experts analyzed another GoLang botnet named GoBrut.

In the attacks aimed at Redis databases, the malicious code first attempts to connect to the default port without credentials, then tries to access using seven common passwords (admin, redis, root, 123456, password, user, and test).

When attempting to access SSH ports, the malware attempts to enumerate four usernames (root, admins, user, and test) and tries each with seven passwords (admins, root, test (appears twice), user, 123456, and password).

“The final propagation method is not done by the Go binary itself but another shell script which will be discussed in the next section. The script looks for existing known hosts in the SSH directory and then tries to connect to those machines over SSH and infect them, as well. ” continues the report.

When the malware compromises a system it downloads a bash script from pastebin.com and fetches several archives, one of them contains the Go malware. Downloaded files are saved to a hidden /tmp/.mysqli directory to prevent removal and mislead users.

One of the scripts extracted from the binary attempts to disable several security controls on the infected system, including SELinux.

The threat achieves persistence through a new crontab set up to download the bash script every 15 minutes. The script sets the Go malware as a service and search for competitors’ process running from the /tmp directory and kills them.

The archives downloaded by the malware includes the main Go malware along with a Monero miner.

“The malware is mining XMR using the cryptonight algorithm and submits hashes to several public pools. At the time of this writing, this operation had earned the attacker less than $2,000 USD. However, this information is based only on the wallets our specific miners were using. It could be that the attacker has several wallets used by different parts of his botnet. ” wrote the experts.

The malicious file was downloaded over 12,000 times from Pastebin, a data that could give us an idea of the dimension of the botnet.

“It is clear that Go, although still used mostly by legitimate developers is also “Go-ing” to the dark side. Golang malware is starting to emerge on the threat landscape. Although this sample is not the most sophisticated piece of malware analyzed by F5 researchers, it has several unique qualities which make it notable.” conclude the experts.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Golang malware, cryptominer)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Golang malware Hacking hacking news information security news miner Monero Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 29, 2025
Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data
Read more
Pierluigi Paganini July 28, 2025
U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

    Security / July 28, 2025

    Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

    Security / July 28, 2025

    Scattered Spider targets VMware ESXi in using social engineering

    Cyber Crime / July 28, 2025

    China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

    Hacking / July 28, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT