Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label StealthWorker. Show all posts

GoBrut Botnet Targets Sites and Devices: Heimdal Security Report

Heimdal Security released an advisory for its customer base, users, partners, and clients in a matter that involved the emergence of a botnet that has infected thousands of sites. The botnet StealthWorker (GoBrut) has managed a large number of attacks in a very short time, via brute-forcing the target's internet-facing NAS devices and web servers. For the infected devices, Heimdal says that they will be used in future botnet campaigns for exploiting more hosts. GoBrut is not a botnet novelty exactly. 

It was involved in the August 2021 campaign against Synology's NAS devices, however, its origin can be traced back to February 2019, when malware launched various brute-force attacks against poorly secured CMSs, including Magento. In terms of design, GoBrut is scripted in Golang, a popular programming language in the hacker communities and pen testers because of its flexibility, coding efficiency two IP addresses, and reasonable learning curve. In Synology's case, the payload was distributed via JS injection or something similar. 

Once the distribution was tagged as successful, the malware begins to collect resources, finding the ones vulnerable to brute force. The reason why botnet StealthWorker had impressive success is rooted in how few CMSs manage password hygiene. In various incidents, leaked credentials were default user-password pairs, which hints that no measures were taken to make the passwords strong. Regarding the intrusion, the credentials accessed via distributed dictionary-based brute-forcing were given to a C2 panel hosted on a secondary 'attack' address, for C2 performing functions. 

A surprising thing is that GoBrut is also capable of backtracking user admin login paths and extracting backup file locations. Heimdal Security says "the botnet StealthWorker is the very embodiment of the saying: “simpler is better”. Although heavily reliant on volumetric attacks, this malware has managed to rake up numerous hits by leveraging sub-par authentication mechanisms."

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms




A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.