Serviceteam IT Security News

A cryptominer campaign has been targeting Linux-based servers using a new Golang malware, according to research published by F5 Labs

Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began around June 10. The first exploit requests were identified around June 16. 

Using the cryptonight algorithm to mine XMR, the attacker has earned less than $2000 USD, a figure based only on the wallets the F5 Labs miners were using. Researchers added that it is possible the attacker has several wallets used by different parts of his botnet.

“F5 researchers detected malicious requests targeting vulnerabilities in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and Drupal (CVE-2018-7600) also known as Druppalgeddon2,” the report said.

The malware campaign reportedly propagates using seven different methods, which include four web application exploits, SSH credentials enumeration, Redis database passwords enumeration, and an attempt to connect other machines through the use of discovered SSH keys.

“Some of these vulnerabilities are common targets, however, the delivered malware in this campaign was written in Go (Golang), a newer programming language not typically used to create malware,” the researchers wrote.

As Golang is not typically detected by anti-virus software, malicious actors have started using it as a malware language. “Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware. One of the earlier Golang samples was analyzed and published beginning of January 2019,” the report said. 

To host the spearhead bash script, attackers reportedly use pastebin.com, an online clipboard service. According to the report, the malware is hosted on a Chinese ecommerce website that has already been compromised. Combined with additional indicators, such as the online clipboard, GitHhub usernames, researchers suspect this could be the work of a Chinese speaking attacker.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!