A newly discovered malware named GoBruteforcer has been detected targeting web servers that run PhpMyAdmin, MySQL, FTP, and Postgres. The malware is written in the Go programming language and is used to gain control of the targeted devices by brute-forcing its way into these systems. 

Once the malware gains access to a system, it executes a series of commands allowing it to download and run additional malicious payloads, all while remaining undetected by the system’s administrators. The ultimate goal of GoBruteforcer is to create a botnet out of these infected devices.

Classless inter-domain routing: A way to attack

“GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range,” Palo Alto Networks Unit 42 researchers said.

“The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target.” 

A type of Golang-based malware we’ve named #GoBruteforcer targets web servers with hosted binaries for different architectures. Read our analysis now. https://t.co/d7TMZmpJd9 pic.twitter.com/XfKZj881UJ

— Unit 42 (@Unit42_Intel) March 10, 2023

The sneaky malware targets on Unix-Like platforms with Brute-Force and IRC Bot attacks

The GoBruteforcer malware targets Unix-like platforms that run on x86, x64, and ARM architectures. The malware utilizes a brute-force attack strategy, employing a list of pre-programmed credentials in its binary file to gain entry to the system.

• If the attack is successful, the malware then proceeds to deploy an IRC bot on the victim server, establishing a communication channel with a server controlled by the threat actor. 
• It allows the attacker to exploit and command the victim server remotely.
• It can install an existing PHP web shell on the victim server to collect additional information about the targeted network. 
• Information retrieved can be used to launch further attacks, which could lead to more severe security breaches.

GoBruteforcer malware exploits weak passwords to attack web servers

The intrusion method that delivers GoBruteforcer and the PHP web shell remains a mystery, but recent findings suggest that the malware’s creators are actively developing new tactics to evade detection.

It underscores the growing trend of threat actors using Golang to create multi-platform malware. GoBruteforcer stands out for its ability to scan and attack a range of targets.

According to cybersecurity firm Unit 42, web servers have always been a prime target for attackers, and GoBruteforcer is no exception. With its multi-scan capability and the ability to take advantage of weak or default passwords, this malware poses a significant threat to organizations that rely on web servers. 

As such, organizations must take immediate steps to secure their web servers and prevent these attacks.

Conclusion

The malware is predicted to have far more mischievous security threats than anticipated. 

“We’ve seen this malware remotely deploy various types of malware as payloads, including coin miners,” Unit42 added.

“We believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future.”