Golang Worm Broadens its Horizons

A known malware campaign aimed at installing cryptominers has upgraded its tactics to now attack Windows systems.

What’s going on?

As per an analysis by Barracuda Networks, the Golang loader has propagated to Windows systems and other servers, while previously it was confined to targeting Linux machines. Golang is a loader that disseminates as a worm and infects vulnerable systems. Once the system is infected, it fetches XMRig, a cryptomining payload that mines for Monero.

Facts about Golang-based malware

  • Golang is a 10 year-old compiled programming language.
  • Earlier in April, Kinsing - a wormable loader written in Golang - was found dropping XMRig onto Docker containers.
  • For Windows machines, the malware adds a backdoor user account. In the case of Linux machines, an init/update script serves the purpose.

How to stay safe?

  • Ensure your web application firewall is properly configured.
  • Staying current on security updates and patches.
  • Regularly monitoring systems for suspicious activity.

The takeaway

The backdoor user account on Windows systems is used to deploy additional payloads on application servers, non-HTTP services, and web application frameworks.