GoBruteforcer: New Golang-Based Malware Breaches Web Servers Via Brute-Force Attacks

Mar 14, 2023Ravie LakshmananNetwork Security / Botnet

A new Golang-based malware dubbed GoBruteforcer
has been found targeting web servers running phpMyAdmin, MySQL,
FTP, and Postgres to corral the devices into a botnet.

“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR^[1]) block for scanning the
network during the attack, and it targeted all IP addresses within
that CIDR range,” Palo Alto Networks Unit 42 researchers said^[2].

“The threat actor chose CIDR block scanning as a way to get
access to a wide range of target hosts on different IPs within a
network instead of using a single IP address as a target.”

The malware is mainly designed to single out Unix-like platforms
running x86, x64 and ARM architectures, with GoBruteforcer
attempting to obtain access via a brute-force attack using a list
of credentials hard-coded into the binary.

If the attack proves to be successful, an internet relay chat
(IRC^[3]) bot is deployed on the
victim server to establish communications with an actor-controlled
server.

GoBruteforcer also leverages a PHP web shell already installed
in the victim server to glean more details about the targeted
network.

That said, the exact initial intrusion vector used to deliver
both GoBruteforcer and the PHP web shell is undetermined as yet.
Artifacts collected by the cybersecurity company suggest active
development efforts to evolve its tactics and evade detection.

The findings are yet another indication of how threat actors are
increasingly adopting Golang to develop cross-platform malware.
What’s more, GoBruteforcer’s multi-scan capability enables it to
breach a broad set of targets, making it a potent threat.

“Web servers have always been a lucrative target for threat
actors,” Unit 42 said. “Weak passwords could lead to serious
threats as web servers are an indispensable part of an
organization. Malware like GoBruteforcer takes advantage of weak
(or default) passwords.”