New GoBrut variant targets Unix systems, uses a separate C2

• Researchers also found that the botnet malware was exploiting WordPress-based websites.
• The new variant is detected to be an ELF variant that focuses on compromising Unix systems.

GoBrut, also known as StealthWorker malware, has now been discovered targeting Unix-based machines. As per the latest research by security firm Alert Logic, GoBrut was found using a malicious Executable and Linkable Format (ELF) file for this purpose. Furthermore, the firm’s researchers also uncovered a new command-and-control (C2) server used by the botnet for communication.

Worth noting

• While GoBrut primarily brute-forced Magento sites and phpMyAdmin applications, it was also observed that the botnet exploited the WordPress CMS. Over 9000 brute-forcing attempts were made on WordPress sites.
• On top of using a C2 server from its Windows variants, the ELF variant of GoBrut also used another C2 server for communication.
• Alert Logic’s 24-hour telemetry showed that the average number of GoBrut bots in operation grew five-fold this year, right from 500 in January to 2666 in March.
• Altogether, 11,788 unique hosts were detected to be compromised since January. Among the hosting providers, DigitalOcean is the most compromised due to GoBrut’s operations. Other major cloud platforms affected were AWS, OVH, and Google Cloud.

Another C2, another location

Alert Logic analyzed the C2 load and found out there was another one at a different location that was exploiting WordPress sites. “To investigate this route, we pivoted through our data to identify related samples which may provide another C2 location and confirmed our theory – there is another C2 location which is exclusively executing WordPress brute force attempts. One thing which stood out from the attacking behavior of this C2 was that it used a login username which was literally ‘[login]’,” the blog stated.

The bottom line

Since GoBrut targets CMS, databases, and administration tools, it is evident that the actors mainly lean towards brute-force attacks. A compromise of 11,788 hosts indicates how botnets and brute-force attacks are used in conjunction to take down websites.

Users are advised to always patch website services and plugins. In addition, applying access control to remote logins can help neutralize brute-force attempts as well.