Recently researchers discovered a new and self-spreading Golang-based malware. Read on to know more…
Recently Intezer researchers discovered a new and self-spreading Golang-based malware that continues the popular 2020 trend of multi-platform malware. This new crypto-mining malware exploits known vulnerabilities to exploit the victim’s resources. The Golang worm typically attempts to inject XMRig malware – increasingly used to mine for cryptocurrency such as monero – within vulnerable servers.
Oracle and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have previously warned WebLogic users to apply patches for the vulnerability.
About Golang Worm
Active since early December, the newly identified Golang worm targets both Windows and Linux servers and can easily move from one platform to the other. The attack uses three files: a dropper script (bash or PowerShell), a Golang-based worm, and an XMRig miner on the exploited service.
The worm targets public-facing services such as Jenkins, MySQL, and Tomcat admin panel that have weak passwords. In addition, an older version of the worm attempted to exploit the latest Oracle WebLogic remote code execution vulnerability (CVE-2020-14882). The malware scans the network using TCP SYN to launch credential spraying brute force attack and spreads over the network.
The Latest Golang Malware
A few days ago, a new multi-platform credit card skimmer was detected, which could harvest payment info on compromised stores running on popular e-commerce platforms, including Shopify, BigCommerce, Zencart, and Woocommerce. PyMICROPSIA was identified targeting Windows, however, its code was found to have snippets that could target additional operating systems, such as POSIX or darwin, making it a potential multi-platform threat.
During the initial time of analysis, all files used in the attack was hosted on a single Command and Control server. Initial access was gained by the Golang worm through the exploit of web facing services previously mentioned. CVE-2020-14882 affecting WebLogic servers is one specific vulnerability exploited by this worm.
To spread, the worm scans the local network for vulnerable services to exploit and monitors network traffic through use of the “gopacket” Go library. Brute force password spraying is used with a built-in dictionary to take advantage of weak credentials. The worm uses a dropper script written in Bash or PowerShell (depending on the respective platform) to install XMRig and spread the malware.
With the rise in the usage of multi-platform malware, organizations are recommended to use defense in depth strategies to protect against such cyber threats. Users should use complex passwords, limit login attempts, and use multi-factor authentication to protect against such cyber-threats.
It is also recommend to block and monitor for the IOCs listed in each of the sources referenced and ensure all public facing servers (WebLogic, MySQL, etc.) are up to date with latest patches.