HQ/EMEAFind out how we can help your business
Researchers spotted that threat actors leverage the GoBruteforcer malware to scan and infect well-known web servers like MySQL and FTP. This Go language botnet, hosted on a legitimate site, launches an Internet Relay Chat bot on infected servers. It uses it to contact its operator’s command-and-control server to acquire additional commands.
The malware is compatible with numerous processor architectures, such as ARM, x64, and x86. The malware requires certain special conditions, like using particular arguments during operation. In addition, the malware also targets devices that have installed services with weak passwords. The malware initiates its execution once it achieves these requirements.
The GoBruteforcer malware operators could acquire access by exploiting weak passwords.
According to investigations, the GoBruteforcer malware campaign could access poor Unix-like infrastructure by brute forcing their way inside with weak passwords. The malware operation starts by identifying a potential target web server that runs on FTP, MySQL, phpMyAdmin, or Postgres.
Moreover, the malware developers included a multiscan module to its source code to review and find a more comprehensive set of potential target machines.
The recent attack of the GoBruteforcer operators showed that it used a Classless Inter-Domain Routing block to scan the targeted network. The CIDR is a set of multiple IP addresses that varies into a single web, and it gives a broader range of targets for executing a data breach attack.
The malware scans the system to review if the earlier mentioned services own ports as open and to breach that device via a brute-forcing strategy.
Researchers explained that the GoBruteforcer malware launches an IRC bot with the attacker’s URL after the successful intrusion. Subsequently, it starts communicating with the command-and-control server and waits for further instructions from the operators.
The IRC bot then registers itself inside a cron within the device to establish persistence.
The multiscan feature in the malware enables its operators to target various devices across the networks. Therefore, users should change default passwords and implement a competent password policy that includes two-factor authentication.
