Yoroi-Cybaze ZLab: There is a new version of the GoBrut botnet in the wild, the 3.06 compiled for Linux
There is a new version of the GoBrut botnet in the wild. It has been detected by Yoroi-cybaze ZLab cyber security experts. The researchers previously analyzed a Windows version of this bot, arguing about the usage of the GoLang, a modern language able to reach extremely high level of code portability, potentially enabling the attackers to write code once and compile it for every OSes. After that, they discovered a new version of the bot compiled for Linux hosts. This is not the first Linux compatible GoBrut sample discovered in the wild, in fact, other security firms reported in April 2019 the version 2.24 of the bot has been compiled for Linux systems. Yoroi’s recent discovery, instead, regards an even newer version of the bot, version 3.06. Even in this case it was compiled for Linux environments.
The cyber security experts: The similarities between the malware versions
During intelligence monitoring operations, Yoroi-Cybaze ZLab cyber security experts encountered a compromised website containing a conspicuous number of suspicious files, in particular ELF binaries. The files were actually copies of the same unique sample. They compared this latest sample with the previously known ones reported in the AlertLogic technical article. The sample has many similarities with the other known GoBrut ones, similarities observed both during the static and the dynamic analysis session. For instance the control flow and the communication protocol are the same, the checking and the retrieval of the jobs have no major changes. Also, the sample registers itself to the C2 through the path “bots/knock” indicating its kind of worker, the host OS and the version of the malware. The C2 responds with “1” as acknowledgement.
The updates of GoBrut botnet
According to the cyber security experts, the malware indicates to the C2 its version and the target architecture and the C2 responds indicating whether some updates are available with a simple “yes/no” response. The behavior of GoBrut remained similar to the older versions. However, this malware version has been made more powerful due to the addition of new features. It has been equipped with new brute forcing modules, in particular with: StealthWorker/WorkerQnap module, able to target Qnap NAS service login page; StealthWorker/Worker_WooChk module, aiming to support attacks to the “WOO Commerce” CMS; StealthWorker/Worker_wpMagOcart module, designed to force the MageCart ecommerce logins; StealthWorker/Worker_WpInstall_finder, a recon tool able to find the installation directory of within WordPress sites; StealthWorker/WorkerBackup_finder, another utility designed to search for exposed backup folders, and StealthWorker/WorkerHtpasswd module: trying to retrieve info from the misconfigured htpasswd files.
Cybercrime is targeting hundred of thousand WordPress powered websites, and part of them are related to Italy
In addition to the “.com”, “.org” and “.info” domains, Yoroi-Cybaze ZLab noticed that most Top Level Domains (TLD) refer to the EMEA region and, this time, almost no Russian TLD is present. This could mean, with low confidence, the botnet operators may not want to run attacks against the Russian cyberspace, perhaps due to the possible Russian origin of its current clients. Also, researchers ound over 4600 Italian TLDs appeared in the target list of this GoBrut campaign. Most of them are Small-Medium Companies running WordPress based websites, but there are also Law Firms and No-Profit Associations. These kind of entities can also be targeted by cybercrime to exploit their relationship and reputation in order to reach more valuable targeted such as Enterprises, Corporates or VIPs.