New Golang Worm Drops XMRig Miner

Recently Intezer researchers discovered a new and self-spreading Golang-based malware that continues the popular 2020 trend of multi-platform malware. This new crypto-mining malware exploits known vulnerabilities to exploit the victim’s resources.

The Golang worm

Active since early December, the newly identified Golang worm targets both Windows and Linux servers and can easily move from one platform to the other.
  • The attack uses three files: a dropper script (bash or PowerShell), a Golang-based worm, and an XMRig miner on the exploited service.
  • The worm targets public-facing services such as Jenkins, MySQL, and Tomcat admin panel that have weak passwords.
  • In addition, an older version of the worm attempted to exploit the latest Oracle WebLogic remote code execution vulnerability (CVE-2020-14882).
  • The malware scans the network using TCP SYN to launch credential spraying brute force attack and spreads over the network.

The recent Golang malware

  • A few days ago, a new multi-platform credit card skimmer was detected, which could harvest payment info on compromised stores running on popular e-commerce platforms, including Shopify, BigCommerce, Zencart, and Woocommerce.
  • PyMICROPSIA was identified targeting Windows, however, its code was found to have snippets that could target additional operating systems, such as POSIX or darwin, making it a potential multi-platform threat.

Stay safe

With the rise in the usage of multi-platform malware, companies are recommended to use defense in depth strategies to protect against such cyber threats. Users should use complex passwords, limit login attempts, and use multi-factor authentication to protect against such cyber-threats.