New Malware named Golang Spotted in the Wild Targeting Linux Servers

hacking news today

Security researchers have discovered a new form of malware named Golang in the wild mining cryptocurrency monero.

The Golang malware is based on the open-source Go programming language.

According to the analysis published by  Palo Alto Networks Unit 42, there was a significant increase in the malware being developed in Go programming language for the past few months.

Security researcher Josh Grunzweig of Palo Alto Networks collected a total of 10,700 unique malware samples written in Go with majority targeting Windows operating system.

“Of the samples, 75% were able to have their malware family identified. The most prominent malware families included VeilGoBot2, and HERCULES. Additionally, the most prevalent malware groupings included Pentesting, Remote Access Trojans (RATs), and Backdoors”

In an analysis published by Trend Micro researchers said that the malware was found being used in a campaign to drop a cryptocurrency miner payload.

The ongoing campaign was first detected in May targeting Linux based servers.

The malware looks for machines running vulnerable software to propagate vulnerable machines and also looks for several entry points to spread to other systems.

According to researchers from security firm F5 labs Golang malware spread through a variety of methods.

The malware campaign propagate through seven methods: 2 targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence, SSH credentials enumeration, Redis database passwords enumeration, 

Once the access is gained the malware tries to spread to other machines using found SSH keys.

The malware was found targeting CVE-2019-9082 vulnerability in ThinkPHP, CVE-2019-3396 in Atlassian Confluence and CVE-2018-7600 in Drupal also known as Druppalgeddon2.

“The payload delivered in the request tries to spread by sending the same exploits, and by trying to connect with several hardcoded credentials to Redis services and also via SSH.  The ultimate goal of the payload is to install a crypto miner and target other servers through the methods mentioned above. “ said in the blog post published by F5 researchers.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading: New GandCrab Ransomware Campaign Targets MySQL Servers on Windows


Please rate this content