GoBruteforcer: New Golang-Based Malware Breaches Web Servers Via Brute-Force Attacks

Home/Compromised, Data Breach, Exploitation, malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update/GoBruteforcer: New Golang-Based Malware Breaches Web Servers Via Brute-Force Attacks

GoBruteforcer: New Golang-Based Malware Breaches Web Servers Via Brute-Force Attacks

A recently identified Golang-based botnet is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services, Palo Alto Networks reports.

How GoBruteforcer works and what devices it targets

Cybersecurity researchers have uncovered a new Golang-based botnet malware called GoBruteforcer that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services.

The malware has been identified by Palo Alto Networks’ Unit 42, and it is compatible with x86, x64, and ARM architectures.

GoBruteforcer uses brute force tactics to gain access to vulnerable *nix devices by exploiting weak or default passwords.

Finally, malware scans for phpMyAdmin, MySQL, FTP, and Postgres services on each targeted IP address. Once it detects an open port accepting connections, it attempts to log in using hard-coded credentials. It deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on servers running other targeted services, enabling it to reach out to its command-and-control server for further instructions.

Unit42 warns that GoBruteforcer is likely under active development, with its operators expected to adapt their tactics and the malware’s capabilities for targeting web servers and staying ahead of security defenses. The malware has already been seen deploying various types of malware as payloads, including coinminers.

Security Recommendations:

It is always important to have strong passwords and regular security audits to prevent malicious attacks on web servers.

Regular software update with the latest security measures to protect against evolving threats.

Indicators of Compromise

de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b Web shell
602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665Web shell
acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834 Older version of GoBruteforcer
426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218 IRC bot(x86)
726ccd223a1cfb60fc6c3b48ea3dbf057da918efac5acf620cd026ee38fb0044 IRC bot(ARM)
526767fbb26c911601371745d603885b75deabcc18261ed2d5a509d58f95d28eGoBruteforcer (x86_64)
dd3555025957cd51cd048d920027a0ff2d5501bc85792529217d54086e9351c2GoBruteforcer (x86_64)
df7dc0fe7e90a2414ac188c55d06ad3882cfc7394869c9ffa549fb1ddb304919GoBruteforcer (x86_64)
ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84GoBruteforcer (x86_64)
5548935e7c6cf3b38240a0579cac36906e9883a1ec5e85335609e9e2062588c5GoBruteforcer ARM(64-bit)
5627b138bc857081d2251edd7eb3b68cbd58dfff2f51b7cd34c893fffff2cfabGoBruteforcer ARM(64-bit)
5c1d3fb43e9e35b835e62e05a7b97ed66ab132eab35bfc18ce543e8f58ccf5e2GoBruteforcer ARM(32-bit)
7c27ac0daba19de227fcc467abfcdefa99426c768a3601b1b181e9741717665bGoBruteforcer (x86)

URL and IP

  • 5.253[.]84[.]159/x
  • fi[.]warmachine[.]su

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!