A new malware known as GoBruteforcer has been discovered, specifically targeting web servers that operate on PHPMyAdmin, MySQL, FTP, and Postgres. The malware works by attempting to breach the servers and create a botnet using these devices.
To achieve this goal, the malware utilizes a Classless Inter-Domain Routing (CIDR) block to scan the network during the attack, targeting all IP addresses within that CIDR range. The malware aims to gain access to a wide range of target hosts on different IPs within a network, rather than using a single IP address as a target.
GoBruteforcer is primarily designed to target Unix-like platforms running x86, x64, and ARM architectures. The malware uses a list of credentials that have been hard-coded into the binary to attempt to gain access via a brute-force attack. If the attack proves successful, an internet relay chat (IRC) bot is deployed on the victim server to establish communications with an actor-controlled server.
The malware also leverages a PHP web shell already installed on the victim server to glean more details about the targeted network. While the exact initial intrusion vector used to deliver both GoBruteforcer and the PHP web shell is undetermined, the cybersecurity company suggests active development efforts to evolve its tactics and evade detection.
These findings suggest that threat actors are increasingly adopting Golang to develop cross-platform malware. Additionally, GoBruteforcer’s multi-scan capability enables it to breach a broad set of targets, making it a potent threat. As web servers are an indispensable part of an organization, weak passwords could lead to serious threats, making them a lucrative target for threat actors.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 