Yoroi-Cybaze ZLab discovers a new version of the GoBrut botnet: the 3.06. It’s more powerful than the old ones, thanks to features as new brute forcing modules

Cybercrime is spreading a new version of the GoBrut botnet, compiled for Linux environment: the 3.06 version. It has been discovered by Yoroi-Cybaze ZLab cyber security experts. The behavior of the bot remained similar to the older versions. However,  this new one has been made more powerful due to the addition of new features. It has been equipped with new brute forcing modules, in particular with: StealthWorker/WorkerQnap module, able to target Qnap NAS service login page; StealthWorker/Worker_WooChk module, aiming to support attacks to the  “WOO Commerce” CMS; StealthWorker/Worker_wpMagOcart module, designed to force the MageCart ecommerce logins; StealthWorker/Worker_WpInstall_finder,  a recon tool able to find the installation directory of within WordPress sites; StealthWorker/WorkerBackup_finder, another utility designed to search for exposed backup folders, and StealthWorker/WorkerHtpasswd module: trying to retrieve info from the misconfigured htpasswd files.

The cybercrime targets are almost in the EMEA region, Italy included. But this time Russia victims are few

According to the cyber security experts, cybercrime the new GoBrut version is targeting almost to the EMEA region and, this time, there are few Russian victims. This could mean, with low confidence, the botnet operators may not want to run attacks against the Russian cyberspace, perhaps due to the possible origin of its current clients. Yoroi ZLab also found again over 4.600 Italian Top Level Domains (TLD) in the target list of this botnet campaign. Most of them are Small-Medium Companies (SMC) running WordPress based websites, but there are also Law Firms and No-Profit Associations. As described in Collection #1 Analysis Whitepaper (ITA), these kind of entities can also be targeted by cybercrime to exploit their relationship and reputation in order to reach more valuable targeted such as Enterprises, Corporates or VIPs.

The cyber security experts: The active development of GoBrut is another indicator of the increasing popularity of GoLang even for the malware writers

The active development of GoBrut is another indicator of the increasing popularity of GoLang even for the malware writers. This trend has also been noticed by PaloAlto Unit 42 cyber security experts, who observed an important increase in the number of GoLang powered malware since 2016. Moreover, the analysis of this botnet version shows the increasing effort of the attackers in expanding their operations, supporting more technologies and adding other recon modules. They also observed that the targets of this last cybercrime campaign are hundred of thousand WordPress powered websites, and part of them are related to Italian economic fabric, confirming the increased dangerousness of the botnet along with the presence of ongoing malicious campaigns.