Yoroi-Cybaze: GoBrut is a new malware written in Go programming language, whose core is the brute-force module. It supports also 23 features o target a range of technologies from administrative protocols to CMSes, WordPress and Joomla included
Malware written in Go programming language are back. Yoroi-Cybaze cyber security experts analyzed a sample of a malicious code with an interesting behavior, along with unusual binary patterns: GoBrut. They detected an inner routine granting the infection persistence after the system reboot, by running a batch utility script to install a self-copy into the user startup folder. They found also an interesting reference within the RDATA section of the PE binary: a reference to a so called “TryLogin” and “StartBrut” routine, suggesting some kind of offensive capabilities. The core of the bot, in fact, is the brute-force module: it has the task to try to login into target services using credentials retrieved from the C2 server. Digging further into the investigations, the researchers discovered that the new GoLang bot supports 23 more features, not only for “PhpMyAdmin”. They’re able to target a range of technologies from administrative protocols to CMSes, (SSH logins, FTP sites, exposed MySql service, WordPress and Joomla, etc.).
The cyber security experts: The cyber attack campaigns are pretty dynamic and may change quickly over the time. The Italian Targets are about 400, including professional forum, e-commerce portals, company websites and banks
Yoroi-Cybaze cyber security researchers identified, at time of writing, 40k unique destinations potentially under a cyber attack. The distribution of the Top Level Domains shows half of the targets are the “.com” and “.org” ones, surprisingly followed the by Russian TLD, and other Eastern Europe targets. Central and Southern Europe seems are targeted too but with in a lower portion, currently. The “.it” domains in the botnet targets list are about 400, including professional forum, e-commerce portals, company websites and banks. The full list is available in the section “Italian Targets” of the post on the company’s blog. The cyber attack campaigns are pretty dynamic and may change quickly over the time. Botnet master enables or disables running offensive operation through the “/project/active” server location. Thus, the bot is instructed of which are the current active campaigns and technologies to be targeted.