Search This Blog

Showing posts with label Golang. Show all posts

Golang: A Cryptomining Malware that Maybe Targetting Your PC

Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.

The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms

A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.