Jump to content
  • New GoBruteforcer malware targets phpMyAdmin, MySQL, FTP, Postgres

    alf9872000

    • 511 views
    • 2 minutes
     Share


    • 511 views
    • 2 minutes

    A newly discovered Golang-based botnet malware scans for and infects web servers running phpMyAdmin, MySQL, FTP, and Postgres services.

     

    According to researchers with Palo Alto Networks' Unit 42, who first spotted it in the wild and dubbed it GoBruteforcer, the malware is compatible with x86, x64, and ARM architectures.

     

    GoBruteforcer will brute force accounts with weak or default passwords to hack into vulnerable *nix devices.

     

    "For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords)," the researchers said.

     

    For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.

     

    Once in, it deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on servers running other targeted services.

     

    In the next phase of the attack, GoBruteforcer will reach out to its command-and-control server and wait for instructions that will be delivered via the previously installed IRC bot or web shell.

     

    Gobruteforcer_attack_flow.png

    GoBruteforcer attack flow (Unit 42)

     

    The botnet uses a multiscan module to find potential victims within a Classless Inter-Domain Routing (CIDR), granting it a broad selection of targets to infiltrate networks. 

     

    Before scanning for IP addresses to attack, GoBruteforcer chooses a CIDR block and will target all IP addresses within that range.

     

    Rather than targeting a single IP, the malware uses CIDR block scanning for access to a diverse range of hosts on various IP addresses, increasing the reach of the attack.

     

    GoBruteforcer is likely under active development, with its operators expected to adapt their tactics and the malware's capabilities for targeting web servers and stay ahead of security defenses.

     

    "We've seen this malware remotely deploy a variety of different types of malware as payloads, including coinminers," Unit42 added.

     

    "We believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...