GoBrut, also known as StealthWorker malware, has now been discovered targeting Unix-based machines. As per the latest research by security firm Alert Logic, GoBrut was found using a malicious Executable and Linkable Format (ELF) file for this purpose. Furthermore, the firm’s researchers also uncovered a new command-and-control (C2) server used by the botnet for communication.
Another C2, another location
Alert Logic analyzed the C2 load and found out there was another one at a different location that was exploiting WordPress sites. “To investigate this route, we pivoted through our data to identify related samples which may provide another C2 location and confirmed our theory – there is another C2 location which is exclusively executing WordPress brute force attempts. One thing which stood out from the attacking behavior of this C2 was that it used a login username which was literally ‘[login]’,” the blog stated.
The bottom line
Since GoBrut targets CMS, databases, and administration tools, it is evident that the actors mainly lean towards brute-force attacks. A compromise of 11,788 hosts indicates how botnets and brute-force attacks are used in conjunction to take down websites.
Users are advised to always patch website services and plugins. In addition, applying access control to remote logins can help neutralize brute-force attempts as well.