A newly found and self-spreading Golang-based malware has been actively dropping XMRig cryptocurrency miners on Home windows and Linux servers since early December.
This multi-platform malware additionally has worm capabilities that permit it to unfold to different techniques by brute-forcing public-facing companies (i.e., MySQL, Tomcat, Jenkins and WebLogic) with weak passwords as revealed by Intezer safety researcher Avigayil Mechtinger.
The attackers behind this marketing campaign have been actively updating the worm’s capabilities by way of its command-and-control (C2) server because it was first noticed which hints at an actively maintained malware.
The C2 server is used to host the bash or PowerShell dropper script (relying on the focused platform), a Golang-based binary worm, and the XMRig miner deployed to surreptitiously mine for untraceable Monero cryptocurrency on contaminated gadgets.
“The ELF worm binary and the bash dropper script are each totally undetected in VirusTotal on the time of this publication,” Mechtinger mentioned.
Brute-forcing and exploiting uncovered servers
The worm spreads to different computer systems by scanning for and brute-forcing MySql, Tomcat, and Jenkins companies utilizing password spraying and an inventory of hardcoded credentials.
Older variations of the worm had been additionally seen making an attempt to take advantage of the CVE-2020-14882 Oracle WebLogic distant code execution vulnerability.
As soon as it manages to compromise one of many focused servers, it’ll deploy the loader script (ld.sh for Linux and ld.ps1 for Home windows) that drops each the XMRig miner and Golang-based worm binary.
The malware will routinely kill itself if it detects that the contaminated techniques are listening on port 52013. If the port is just not in use, the worm will open its personal community socket.
“The truth that the worm’s code is sort of an identical for each its PE and ELF malware—and the ELF malware going undetected in VirusTotal—demonstrates that Linux threats are nonetheless flying beneath the radar for many safety and detection platforms,” Mechtinger added.
To defend towards brute pressure assaults launched by this new multi-platform worm it’s best to restrict logins and use exhausting to guess passwords on all Web-exposed companies, in addition to two-factor authentication each time doable.
Retaining your software program updated always and ensuring that your servers aren’t reachable over the Web except completely vital are different methods to defend towards this new malware menace.