New malware campaign distributes StealthWorker malware to compromise multiple platforms

• The StealthWorker malware also known as GoBrut is a brute-force malware which is written in the Go language.
• In this new campaign, attackers are leveraging the brute-force only approach targeting vulnerable host with weak credentials.

What is the issue - Researchers from FortiGuard Labs recently observed a new campaign that distributes the StealthWorker malware on Windows and Linux systems.

The StealthWorker malware also known as GoBrut is a brute-force malware which is written in the Go language.

Worth noting - Apart from the wider capabilities, the new version of StealthWorker has the capability to compromise multiple platforms. The malware is also capable of updating itself.

The big picture

In this new campaign, attackers are leveraging the brute-force only approach targeting vulnerable host with weak credentials.

After successfully compromising a target machine, the brute-force malware will create scheduled tasks on both Windows and Linux to gain persistence by copying itself in the Startup folder or to the /tmp folder and setting up a crontab entry respectively.

• Once the targeted machine is transformed into a botnet zombie, the StealthWorker will communicate with its C&C server that it is ready to function as a worker and accept tasks.
• After being assigned as a worker, the malware receives the tasks from the C&C server.
• After receiving the list of hosts and credentials from the C&C server, the worker’s task is to log in to the targeted host.
• Once the login is successful, the malware will report the used host and credentials to the C&C server as ‘saveGood’.

Brute force attacks

Researchers noted that while brute force attacks are a common practice of attackers, using a botnet's zombies as part of a large distributed campaign is something new.

StealthWorker malware is primarily used by the attackers for checking the services that are running on a targeted server and to brute force different services.

“Additionally, a distributed brute force attack coming from different source IP addresses can effectively bypass anti-brute force solutions, which are usually based on a threshold (e.g., if x failed requests coming from the source, then block the connection for xx minutes),” researchers wrote in a blog.