Malware known as GoBruteforcer targets Postgres, MySQL, phpMyAdmin, and FTP (30th March 2023)

Ref# AL2023_23 | Date: Mar 30th 2023

Description  

A recently found Golang-based botnet malware searches for and attacks web servers running the phpMyAdmin, MySQL, FTP, and Postgres services. The malware operates with the ARM, x86, and x64 architectures. 

Details   

GoBruteforcer will attempt to break into insecure *nix devices by brute forcing accounts with weak or default passwords. The Malware needs specific conditions, such as the use of particular arguments and the installation of targeted services (with weak passwords), on the victims system in order to be successfully executed, according to the researchers.  

The malware begins searching for the phpMyAdmin, MySQL, FTP, and Postgres services for each targeted IP address. It will try to log in with hard-coded credentials once it discovers an open port that allows connections. Once inside, it launches a PHP web shell on servers hosting other targeted services or an IRC bot on compromised phpMyAdmin systems.  

GoBruteforcer will connect to its command-and-control server in the subsequent phase of the attack and wait for commands to be sent by the previously installed IRC bot or web shell. The botnet has a wide range of targets to infiltrate networks since it uses a multiscan module to discover potential victims within a Classless Inter-Domain Routing (CIDR). GoBruteforcer selects a CIDR block and will target all IP addresses within that range before searching for IP addresses to attack.  

The malware expands the scope of the assault by using CIDR block scanning to gain access to a wide variety of hosts on numerous IP addresses rather than focusing on a single IP address. GoBruteforcer is probably still in active development, and its developers anticipate that its users will modify their strategies and the malware”s capacity to target web servers while evading security measures. GoBruteforcer is still under development, thus things like the initial infection vectors or payloads might change soon. 

Indicators of Compromise 

Below are IOCS for the GoBruteforcer malware. 

Hashes 

de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b  

Web shell 

602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665 

Web shell 

acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834  

Older version of GoBruteforcer 

426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218  

IRC bot(x86) 

726ccd223a1cfb60fc6c3b48ea3dbf057da918efac5acf620cd026ee38fb0044  

IRC bot(ARM) 

526767fbb26c911601371745d603885b75deabcc18261ed2d5a509d58f95d28e 

GoBruteforcer (x86_64) 

dd3555025957cd51cd048d920027a0ff2d5501bc85792529217d54086e9351c2 

GoBruteforcer (x86_64) 

df7dc0fe7e90a2414ac188c55d06ad3882cfc7394869c9ffa549fb1ddb304919 

GoBruteforcer (x86_64) 

ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84 

GoBruteforcer (x86_64) 

5548935e7c6cf3b38240a0579cac36906e9883a1ec5e85335609e9e2062588c5 

GoBruteforcer ARM(64-bit) 

5627b138bc857081d2251edd7eb3b68cbd58dfff2f51b7cd34c893fffff2cfab 

GoBruteforcer ARM(64-bit) 

5c1d3fb43e9e35b835e62e05a7b97ed66ab132eab35bfc18ce543e8f58ccf5e2 

GoBruteforcer ARM(32-bit) 

7c27ac0daba19de227fcc467abfcdefa99426c768a3601b1b181e9741717665b 

GoBruteforcer (x86) 

URL and IP 

  • 5.253[.]84[.]159/x 

  • fi[.]warmachine[.]su 

Remediation   

The Guyana National CIRT urges the public to keep an eye out for and alert on these and any related IoCs. Moreover, we suggest that you: 

  • Normal education, awareness training, and phishing simulations rarely take into mind web browser cleanliness and MFA fatigue. Any lessons learned ought to be used and communicated.   

  • Prioritize and stop any indications connected to threat actors or attacks, by scanning for IOCs on your network. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: GoBruteforcer targets Postgres, MySQL, phpMyAdmin and FTP.pdf

References