skip to Main Content

Cybercrime: new variant of GoBrut malware targets Unix systems via WordPress

Alert Logic: A new variant of GoBrut (aka StealthWorker) malware targets Unix systems thanks to an ELF variant and WordPress CMS

A new variant of GoBrut (aka StealthWorker) malware is on the wild and could target Unix-based machines. It has been discovered by Alert Logic cyber security experts. This thanks to an Executable and Linkable Format (ELF) variant of the family. Furthermore, it has a new command-and-control (C2) server, used by the botnet for communication. The malicious code, written in Golang, launch brute force cyber attacks to servers running Content Management Systems (CMS) and technologies such as SSH and MySQL. Once infected, the host will join the botnet and request work from the CNC server. After work is received, the infected host will proceed to brute force the targets detailed in the work request sent by the botnet owner. This malware has been associated with the cybercrime Advanced Persistent Threat (APT) Magecart group.

The cyber security experts: The malware primarily brute-forced Magento sites and phpMyAdmin applications, exploiting the WordPress CMS. The cybercrime threat is growing

According to there cyber security experts, while GoBrut primarily brute-forced Magento sites and phpMyAdmin applications, it was also observed that the botnet exploited the WordPress CMS. Over 9000 brute-forcing attempts were made from the blogging platform sites. On top of using a C2 server from its Windows variants, the ELF variant of GoBrut also used another C2 server for communication. Furthermore, the Magecart operations are growing. Alert Logic’s 24-hour telemetry showed that the average number of GoBrut bots in operation grew five-fold this year, right from 500 in January to 2666 in March. And 11,788 have been compromised. Moreover, the cyber criminals use multiple C2 servers. One of them is exclusively executing WordPress brute force attempts. Following those elements, users are advised to always patch website services and plugins. In addition, applying access control to remote logins can help neutralize brute-force attempts as well.

Yoroi-Cybaze: GoBrut is written in Go programming language, and its core is the brute-force module. It supports also 23 features o target a range of technologies from administrative protocols to CMSes, WordPress and Joomla included

Yoroi-Cybaze security experts analyzed GoBrut recently and detected an inner routine granting the infection persistence after the system reboot, by running a batch utility script to install a self-copy into the user startup folder. They found also an interesting reference within the RDATA section of the PE binary: a reference to a so called “TryLogin” and “StartBrut” routine, suggesting some kind of offensive capabilities. The core of the bot, in fact, is the brute-force module: it has the task to try to login into target services using credentials retrieved from the C2 server. Digging further into the investigations, the researchers discovered that the new GoLang bot supports 23 more features, not only for “PhpMyAdmin”. They’re able to target a range of technologies from administrative protocols to CMSes, (SSH logins, FTP sites, exposed MySql service, WordPress and Joomla, etc.).

Back To Top