Golang-based GoBruteforcer Malware Targets Popular Web Services

A peek into GoBruteforcer 

• The malware requires certain special conditions, such as the use of specific arguments at the time of execution, and targeted services being installed already with weak passwords. It executes only when these conditions are met.
• It attempts to obtain access to vulnerable Unix-like platforms (collectively called *nix) by brute forcing them with weak passwords. 
• The attack begins with a scan for potential target web servers running MySQL, Postgres, FTP, or phpMyAdmin.

Network propagation

• At the time of the attack, GoBruteforcer uses a Classless Inter-Domain Routing (CIDR) block for scanning the network. A CIDR is a collection of multiple IP address ranges into a single network and it provides a broader range of targets for infiltration, in comparison to a single IP address.
• When a host is found, it tries to scan the system to check if any of the ports belonging to the aforementioned services as open and attempts to penetrate that machine via a brute-force attack.

Post-infection activities

• Upon successful intrusion, GoBruteforcer deploys an IRC bot having the attacker’s URL.
• It then starts communicating with the C2 server and waits for further commands from the attackers.
• Simultaneously, for persistence, the IRC bot registers itself inside a cron.

The bottom line