A self-growing Golang-based software has been newly discovered, which has been affecting the miners of cryptocurrency on Linux and Windows servers and dropping XMRig since the early days of December.
Avigayil Mechtinger, the security researcher at Intezer, found out that the malware comes with worm capabilities of spreading it to various other systems through brute-forcing services that are open to the public including MySQL, Jenkins, Tomcat and Weblogic, which has weak passwords.
The worm’s capabilities have been constantly updated by the attackers through the command and control (C2) server from the time it was acknowledged. This makes the researchers conclude that the malware is actively maintained and is updating its system on a regular basis.
The function of the C2 server centers on hosting the Powerful dropper script considering the targeted platform’s location. Some of the most damaging attacks that have been executed over DNS are through C2, where the attackers start the process by infecting a computer sitting behind a firewall.
The XMRig miner and a binary worm based on Golang tried to find cryptocurrencies that are difficult to trace on the devices that has been infected.
The spread of the worm to other computers is entirely through scanning for or brute forcing Tomcat, Jenkins, or MySql services by using password spraying and a catalog of hardcore credentials.
Additionally, older versions of the malware are seen attempting to exploit the CVE-2020-14882 Oracle WebLogic remote code execution vulnerability.
No sooner it manages to compromise any of the targeted servers, the loader script will be deployed, which will result in dropping both the Golang-based worm binary and the XMRig miner.
Once the malware finds that the infected systems are listening on port 52013, it will automatically destroy itself. On the other hand, the worm will open a new network socket if they find that the port is not in use.
However, as Mechtinger further points out, Linux threats are still going on under the Rader for most of the platforms offering security and detection by considering the fact that the code of the worm is nearly the same for its ELF and PE malware. At the same time, the VirusTotal fails to detect the ELF malware efficiently.
One can, however, ensure the utmost safety and defend against brute force attacks launched by the new multi-platform worm by limiting logins and using passwords for internet-exposed services that will not be easy to guess.
It is also advised that users should make use of two-factor authentication, Use IP address Monitoring, employ a Captcha, and use web application firewalls to remain safe on the internet. Various network security tools and threat detection are also available for internet users that offer user-friendly services and safeguard one’s identity on the internet.
If you are a business owner, it would be safe to use encrypted and secured connections for the employees and provide them with necessary cyber awareness training. Most companies ignore cyber security awareness training, but it appears as the only way to safely and securely make internet visits. The training course should cover everything from classic schemes for phishing and various strategies on social engineering to all the solutions when encountering unusual or strange things.
