Self-spreading Golang-based malware has been actively sending XMRig crypto miners to Windows as well as Linux servers since December 1st.
The multi-platform malware also comes with the ability to worm and allow it to infect other systems by forcing services that are public (i.e., MySQL, Tomcat, Jenkins, and WebLogic) to use weak passwords, as discovered by Intezer Security researcher Avigayil Mechtinger.
The perpetrators behind this campaign have been constantly making improvements to the worm’s capabilities via their command-and-control (C2) server ever since the first time it was discovered, which suggests continuously maintained malware.
The C2 server serves as a host for the bash script or PowerShell dropper program (depending on the target platform) as well as a Golang-based binary worm and the XMRig miner that can stealthily mine for the untraceable Monero cryptocurrency on infected devices.
“Both the ELF worm binary and the bash dropper script are undetected in VirusTotal,” Mechtinger stated.
Exploiting exposed servers and brute-forcing them
The worm can infect other systems by searching for and forcing brute-force attacks on MySql, Tomcat, and Jenkins services by using the technique of password spraying and an array of hardcoded credentials.
Versions of earlier versions were observed trying to exploit the CVE-2020-1482 Oracle WebLogic remote code execution vulnerability.
When it has managed to breach one of the servers it is targeting, after which it is able to compromise a server, it’ll use the loader program (ld.sh on Linux or ld.ps1 on Windows), which removes both the XMRig mining program and the Golang-based worm.
The malware will end its life if it discovers that the affected systems are listening to port 52013. If port 52013 is not active, the worm will create its own network socket.
“The fact that the worm’s code is nearly identical for both its PE and ELF malware—and that the ELF malware went undetected in VirusTotal—demonstrates that Linux threats are still flying under the radar for most security and detection platforms,” Mechtinger added.
To guard against the brute force attacks that are being created by this multi-platform worm, you must restrict logins, employ passwords that are difficult to guess on any Internet-connected service, and use two-factor authentication when possible.
Maintaining your software up to date and ensuring that your servers aren’t accessible via the Internet in the event of an emergency are other methods to protect against this latest threat to your security.
Read Also: Linux Torvalds Recognizes Linux’s’ True’ 30th Anniversary Date
TAGSGOLANGBASED WINDOWS DECEMBER MONEROGATLANBLEEPINGCOMPUTER
GOLANGBASED WINDOWS LINUX DECEMBER MONEROGATLANBLEEPINGCOMPUTER
GOLANGBASED WINDOWS LINUX MONEROGATLANBLEEPINGCOMPUTER
GOLANGBASED XMRIG DECEMBER MONEROGATLANBLEEPINGCOMPUTER
GOLANGBASED XMRIG LINUX DECEMBER
GOLANGBASED XMRIG WINDOWS DECEMBER MONEROGATLANBLEEPINGCOMPUTER
GOLANGBASED XMRIG WINDOWS LINUX DECEMBER
GOLANGBASED XMRIG WINDOWS LINUX DECEMBER MONERO
GATLANBLEEPINGCOMPUTERGOLANGBASED XMRIG WINDOWS LINUX MONEROGATLANBLEEPINGCOMPUTER
NEW DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED LINUX DECEMBER
NEW GOLANGBASED LINUX DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED WINDOWS DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED WINDOWS LINUX DECEMBER
NEW GOLANGBASED WINDOWS LINUX MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED WINDOWS MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED XMRIGNEW GOLANGBASED XMRIG DECEMBER
NEW GOLANGBASED XMRIG LINUX DECEMBER
NEW GOLANGBASED XMRIG LINUX DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED XMRIG MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED XMRIG WINDOWS DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED XMRIG WINDOWS LINUX
NEW GOLANGBASED XMRIG WINDOWS LINUX DECEMBER
NEW GOLANGBASED XMRIG WINDOWS LINUX MONEROGATLANBLEEPINGCOMPUTER
NEW GOLANGBASED XMRIG WINDOWS MONEROGATLANBLEEPINGCOMPUTER
NEW WINDOWS DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW WINDOWS LINUX DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW WINDOWS LINUX MONEROGATLANBLEEPINGCOMPUTER
NEW XMRIG DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW XMRIG MONEROGATLANBLEEPINGCOMPUTER
NEW XMRIG WINDOWS DECEMBER MONEROGATLANBLEEPINGCOMPUTER
NEW XMRIG WINDOWS LINUX MONEROGATLANBLEEPINGCOMPUTER
NEW XMRIG WINDOWS MONEROGATLANBLEEPINGCOMPUTER
XMRIG DECEMBER MONEROGATLANBLEEPINGCOMPUTER
XMRIG LINUX MONEROGATLANBLEEPINGCOMPUTER
XMRIG WINDOWS DECEMBER MONEROGATLANBLEEPINGCOMPUTER