A recently identified Golang-based botnet is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services, Palo Alto Networks reports.
How GoBruteforcer works and what devices it targets
The malware has been identified by Palo Alto Networks’ Unit 42, and it is compatible with x86, x64, and ARM architectures.
GoBruteforcer uses brute force tactics to gain access to vulnerable *nix devices by exploiting weak or default passwords.
Finally, malware scans for phpMyAdmin, MySQL, FTP, and Postgres services on each targeted IP address. Once it detects an open port accepting connections, it attempts to log in using hard-coded credentials. It deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on servers running other targeted services, enabling it to reach out to its command-and-control server for further instructions.
Unit42 warns that GoBruteforcer is likely under active development, with its operators expected to adapt their tactics and the malware’s capabilities for targeting web servers and staying ahead of security defenses. The malware has already been seen deploying various types of malware as payloads, including coinminers.
It is always important to have strong passwords and regular security audits to prevent malicious attacks on web servers.
Regular software update with the latest security measures to protect against evolving threats.
Indicators of Compromise
|acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834||Older version of GoBruteforcer|
URL and IP