Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Web Server. Show all posts

GOBruteforcer: an Active Web Server Harvester

 


Known as Golang, the Go programming language is relatively new. It is one of the most popular malware programmers interested in creating malware. Capable of developing all kinds of malware, such as ransomware, stealers, or remote access Trojans (RATs), it has proven to be a versatile platform that can deal with all kinds of malware. Golang-based botnets appear particularly attractive to attackers to gain access to their networks. 

The GoBruteforcer botnet malware is the latest version of a type of malware written in Golang and targeting web servers. This is specifically for those running PHPMyAdmin, MySQL, FTP, and Postgres database software. 

How GoBruteforcer Works?

Palo Alto Network's GoBruteforcer is compatible with more than one processor architecture, such as x86, x64, and ARM architectures. 

During the actual execution of the malicious code, some special conditions need to be met, such as the use of specific arguments during the execution process. Additionally, it relies on the installation of targeted services with weak passwords, which are already installed on the system. Whenever these conditions are met, it executes only if it satisfies all of the requirements. 

  • With the help of weak passwords, this malware aspires to gain access to vulnerable Unix-like platforms (commonly known as UNIX). 
  • To begin the attack, a scan is conducted for possible targets that have MySQL, Postgres, FTP, or PHPMyAdmin running on their servers. 
Expansion of Networks 

The software's source code has been updated to include a multi-scan module that can scan and find a much greater set of potential targets than before.
  • A Classless Inter-Domain Routing (CIDR) block was used by GoBruteforcer at the time of the attack to scan the network for vulnerabilities. A CIDR is a format of IP address ranges contained in a single network containing multiple IP addresses. A single IP address does not provide a huge range of targets for infiltration, unlike a range of IP addresses that are used for intrusion.
  • The application detects a host by scanning the network for any ports that have become open over time belonging to the aforementioned services when it finds the host. A brute-force attack is used to attempt to gain access to that machine. 
Aspects of the Postinfection Period

  • When GoBruteforcer is successful in detecting the intrusion, it deploys an IRC bot that collects the URL of the attacker for further use. 
  • Then it communicates with the C2 server and waits for the attacker to send it any further directives. 
  • A cron job is used to store the registration information for the IRC bot, which is used as a means of persistence. 
Using GoBruteforcer's multiscan feature, operators can use the tool to scan a wide range of devices across different networks all at once. 

As long as default passwords are changed and a strong password policy is implemented including two-factor authentication, you can significantly reduce the risks of attacks caused by brute force method.

Threat actors have always been attracted to targeting web servers due to their lucrative nature. An organization's web servers are an integral part of its operations, so allowing weak passwords to be used could lead to serious security threats. Weak (or default) passwords are more likely to be exploited by malware including GoBruteforcer. 

The GoBruteforcer bot has the capability of scanning multiple targets at once, allowing it to get into a wide range of networks, and this is what helps it to be able to do the job. Furthermore, GoBruteforcer seems to be actively being developed. Therefore, attackers are likely to change their strategies soon if they hope to target web servers with this tool.

ABCsoup Adware Campaign Employs 350 Browser Extension Variants to Target Russian Users

 

Zimperium researchers have identified an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. The campaign employs more than 350 versions of malicious browser extensions using the Google Translate extension ID to fool victims into downloading the malicious files.

"The extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores," researchers explained. 

The malicious browser add-ons come with an identical extension ID as that of Google Translate to trick users into believing that they have installed a legitimate extension. However, the extensions are not available on the official browser web stores. 

The hackers deliver them via multiple Windows executables that install the add-on on the victim's web browser. If the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10). 

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta stated. 

According to Zimperium, the malicious extensions are geared towards serving pop-ups, siphoning private details to deploy target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as spyware to capture keystrokes and monitor web browser activity. 

The primary motive of this malicious campaign is to scan for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, collect the victims' first and last names, dates of birth, gender, and transfer the data to a remote server. 

The malicious extension does not utilize the stolen details to serve personalized ads but also has the capability to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, indicating a heavy Russia focus. 

The researchers attributed the campaign to the threat actors based in Russia or Eastern Europe. The extensions were created to single out Russian users given the wide range of local domains featured.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."