New Golang-Based Worm Targets Servers to Mine MoneroResearchers Say Recently Uncovered Malware Targets Windows and Linux
Researchers at the security firm Intezer have detected a new Golang-based worm that is targeting Windows and Linux servers with monero cryptomining malware.
See Also: Threat Briefing: Ransomware
The worm, which has been active since early December, typically attempts to inject XMRig malware - increasingly used to mine for cryptocurrency such as monero - within vulnerable servers, the researchers say (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign). It targets vulnerable, public-facing services such as MySQL, the Tomcat administration panel and the open-source automation Jenkins server that use weak passwords. Plus, it targets a vulnerability in Oracle WebLogic that is tracked as CVE-2020-14882.
Oracle and the U.S. Cybersecurity and Infrastructure Security Agency have previously warned WebLogic users to apply patches for the vulnerability (see: CISA and Oracle Warn Over WebLogic Server Vulnerability).
"During our analysis, the attacker kept updating the worm on the command-and-control server, indicating that it's active and might be targeting additional weak configured services in future updates," Avigayil Mechtinger, a security researcher at Intezer, notes in the report.
How It Works
An attack typically starts with the worm attempting to brute force passwords to gain access to a device. Once inside, it uses three separate files to continue its attack. The first is a dropper - either a Bash or PowerShell script. The second is a Golang binary worm, and the third is the XMRig miner. All are hosted on the same command-and-control server, the researchers determined.
During the attack, the worm checks if a process on the infected machine is listening on port 52013 of the targeted server. A listener on this port would function as a mutex - a synchronization mechanism for enforcing limits on access to a resource in an environment where there are many threads of execution. If a listener is not found on the port, a network socket is opened, the researchers say.
The Linux version of the worm so far remains undetected on the VirusTotal scanning platform, according to the report. "The fact that the worm's code is nearly identical for both its [Windows] and [Linux] malware - and the [executable Linux file] malware going undetected in VirusTotal - demonstrates that Linux threats are still flying under the radar for most security and detection platforms," Mechtinger says.
Kyung Kim, senior managing director and the head of cybersecurity for the Asia-Pacific Region at FTI Consulting, says more threat actors are using the Golang programming language to help them target operating systems other than Windows.
"Golang is popular for attackers because it's multi-variate and allows a single codebase to be accumulated into all major operating systems," Kim says. "Rather than attacking end-users, Golang malware focuses its efforts on compromising application servers, frameworks and web applications, which is partially why it can infiltrate systems easily without being detected."
Other security researchers have noted an increase in malware, especially cryptominers, targeting the Linux platform.
In November, Intezer found the Linux version of the Stantinko botnet was recently updated to better mine cryptocurrency and deliver malware (see: Linux Botnet Disguises Itself as Apache Server).
Another example is the "InterPlanetary Storm" botnet that infects Windows, Linux, Mac and Android devices, according to Barracuda Networks. It mines for cryptocurrency and can initiate distributed denial-of-service attacks (see: 'InterPlanetary Storm' Botnet Infecting Mac, Android Devices ).