A new Golang-based malware named GoBruteforcer has been seen targeting web servers to add to its botnet. It appears to specifically target web servers running phpMyAdmin, MySQL, FTP, and Postgres services within a network.
GoBruteforcer uses CIDR block scanning to check a large number of IP addresses for specific open ports. Once a host is found, GoBruteforcer attempts to gain access to the server via brute force, using a hard-coded set of credentials to try within the binary. If the brute force attack is successful, it deploys an IRC bot that communicates back to the attacker’s infrastructure. The IRC bot is used to execute commands on the system to gather information on it and the network. GoBruteforcer was also seen using a PHP web shell on a compromised system to achieve similar remote command execution as the IRC bot.
GoBruteforcer appears to mainly target Unix-like systems, likely due to the popularity of the operating system for hosting servers. While the initial infection vector for both GoBruteforcer and the PHP web shell is unknown, it is believed that the new malware is still under development and will continue to evolve its feature set.
Analyst Notes
One of the best methods to prevent brute force attacks from succeeding is to have strong passwords implemented across all systems. Creating passwords that are 20+ characters in length, with a random mix of uppercase and lowercase characters, special characters, and numbers is an efficient way to prevent a brute force attack from allowing a malicious user to gain access to a system. Limiting login attempts is another way to prevent brute force attacks from succeeding. Brute force attacks require trying a large set of credentials against a system, so rate limiting how many attempts can occur will help slow down the attacks to the point where they are no longer feasible to attempt. Enabling multi-factor authentication can also help prevent unauthorized access to a system, should one of the credentials attempted succeed. MFA is an excellent asset to use to prevent brute force and other types of password compromises from allowing a threat actor access to a system. Finally, using forms of password less authentication where possible can help prevent these attacks from succeeding. Switching to methods like public key or biometric authentication for granting access to systems can help remove the risk of password-based attacks altogether.
https://thehackernews.com/2023/03/gobruteforcer-new-golang-based-malware.html
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/