What is the issue - Researchers from FortiGuard Labs recently observed a new campaign that distributes the StealthWorker malware on Windows and Linux systems.
The StealthWorker malware also known as GoBrut is a brute-force malware which is written in the Go language.
Worth noting - Apart from the wider capabilities, the new version of StealthWorker has the capability to compromise multiple platforms. The malware is also capable of updating itself.
The big picture
In this new campaign, attackers are leveraging the brute-force only approach targeting vulnerable host with weak credentials.
After successfully compromising a target machine, the brute-force malware will create scheduled tasks on both Windows and Linux to gain persistence by copying itself in the Startup folder or to the /tmp folder and setting up a crontab entry respectively.
Brute force attacks
Researchers noted that while brute force attacks are a common practice of attackers, using a botnet's zombies as part of a large distributed campaign is something new.
StealthWorker malware is primarily used by the attackers for checking the services that are running on a targeted server and to brute force different services.
“Additionally, a distributed brute force attack coming from different source IP addresses can effectively bypass anti-brute force solutions, which are usually based on a threshold (e.g., if x failed requests coming from the source, then block the connection for xx minutes),” researchers wrote in a blog.