Malware

GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers

Clock Icon 7 min read
Related Products
Advanced DNS Security iconAdvanced DNS SecurityAdvanced Threat Prevention iconAdvanced Threat PreventionAdvanced URL Filtering iconAdvanced URL FilteringAdvanced WildFire iconAdvanced WildFireCloud-Delivered Security Services iconCloud-Delivered Security ServicesCortex XDR iconCortex XDRNext-Generation Firewall iconNext-Generation Firewall

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers recently discovered a new sample of Golang-based malware. We have dubbed it GoBruteforcer, and it targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The sample was originally captured from our Next-Generation Firewall. Upon further research, we found that the malware was hosted on a legitimate website.

Further investigation revealed that the attacker hosted binaries for x86, x64 and ARM processor architectures. We also discovered that GoBruteforcer had deployed an internet relay chat (IRC) bot on the victim server, which communicates with the attacker’s server.

This blog details information collected based on a static overview of the GoBruteforcer attack chain components. For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords).

Palo Alto Networks customers receive protections from malware families like GoBruteforcer and its malicious components with Cortex XDR or the Next-Generation Firewall with cloud-delivered security services including WildFire and Advanced Threat Prevention. Alongside this, Advanced URL Filtering and DNS Security can block the command and control (C2) domain and malware hosting URLs.

Related Unit 42 Topics Golang, Botnet, Web Server

Introduction

Go programming language, also known as Golang, is a newer language that’s becoming more popular with malware programmers. It has proven to be versatile enough to develop all kinds of malware, including ransomware, stealers or remote access trojans (RATs). Golang-based botnets in particular seem to be gaining the interest of threat actors.

GoBruteforcer is a new kind of botnet malware that is written in Golang and targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services.

GoBruteforcer chose a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target.

Once a host is found, GoBruteforcer tries to get access to the server via brute force. After achieving access, GoBruteforcer deploys an IRC bot containing the attacker’s URL.

Later, GoBruteforcer also tries to query the victim system using a PHP web shell. We found that this web shell was already deployed onto the victim server. Figure 1 depicts this attack flow.

Image 1 is a tree diagram showing the GoBruteforcer attack chain, starting with a port scan.
Figure 1. GoBruteforcer attack chain.

The cache_init file highlighted in Figure 2 is the GoBruteforcer malware we found hosted in the /.x/ directory of the targeted server. The initial vector of the GoBruteforcer and the PHP web shell campaign is not known yet.

We have notified the victim about the malicious GoBruteforcer binaries hosted on their site.

Image 2 is three screenshots side by side of web indexes that are hosting GoBruteforcer binaries on their websites. Highlighted is the cache_init file in the index of each under the Parent Directory.
Figure 2. GoBruteforcer hosted on a victim server.

The GoBruteforcer malware hashes we found mainly targeted Unix-like (*nix) platforms, with versions for x86, x64 and ARM architectures. It seems likely that this is their OS of choice because *nix operating systems are a popular choice for hosting servers.

We believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future.

Scanning and System Access

The GoBruteforcer malware samples are packed with UPX Packer. Upon unpacking a sample (SHA256 ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84), we observed that GoBruteforcer has a multiscan module (shown in Figure 3) it uses to scan for the hosts inside a CIDR for its attack.

Image 3 is a screenshot of GoBruteforcer’s multi scan module.
Figure 3. GoBruteforcer multiscan function.

On the target IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP and Postgres services. The attacker has defined separate scanning modules against all the aforementioned services, as shown in Figure 4.

Image 4 is a screenshot of modules in GoBruteforcer scanning different services, such as MySQL and Postgres.
Figure 4. Modules inside GoBruteforcer for scanning different services.

Inside the modules, the malware first checks if the port belonging to the service is open. For this, the port scan module (shown in Figure 5) is called inside every scanning module.

Image 5 is a screenshot that takes a closer look at GoBruteforcer’s port scan module.
Figure 5. Portscan function (present inside every scanning module).

For the phpMyAdmin Service

When scanning for phpMyAdmin services, if the target port (port 80) is open, the GoBruteforcer malware tries to login and get access to the victim server via brute force. To do this, the malware uses a set of credentials that is hard coded into the malware binary, as shown in Figure 6.

Image 6 is a screenshot of many lines of code, the malware binary, showing the hard coded credentials.
Figure 6. Hard-coded credentials for brute forcing.

IRC Bot Deployment

Upon successful login via phpMyAdmin service into the victim server, GoBruteforcer deploys and executes an IRC bot on the victim server. The files fb5 and ab5 are IRC bots compiled for x86_64 and ARM architectures respectively, as shown in Figures 7 and 8.

Image 7 is a screenshot showing how GoBruteforcer deploys an IRC bot for x86-supported platforms, highlighted in red.
Figure 7. GoBruteforcer deploying IRC bot for x86-supported platforms.
Image 8 is a screenshot showing how GoBruteforcer deploys an IRC bot for ARM-supported platforms, highlighted in red.
Figure 8. GoBruteforcer deploying IRC bot for ARM-supported platforms.

Later, the malware starts communication between the command and control channel (C2) and the victim server via the IRC bot, as shown in Figure 9.

Image 9 is a screenshot of Wireshark showing the victim and C2 communication via an IRC bot.
Figure 9. Victim and C2 communication via IRC bot.

Additionally, the IRC bot also registers itself inside cron for recurring execution.

Image 10 is a screenshot of a few lines of code showing, with yellow highlighting, how the IRC bot registers itself in cron.
Figure 10. IRC registering itself in cron.

For MySQL and Postgres Services

When scanning for MySQL and Postgres services, the GoBruteforcer malware first checks whether ports 3306 and 5432 are open. If the malware finds the ports open, then the malware tries to ping the host’s database with a certain username and password. (Figures 11 and 12 show this activity, and you can also refer to the following post on the Golang Issues forum for more information).

After that, the malware calls the PostResult module, which will be discussed in greater detail in the later section, PostResult Module and Web Shell Connection.

Image 11 is a screenshot highlighting GoBruteforcer’s MySql ping.
Figure 11. MySql ping done by GoBruteforcer malware.
Image 12 is a screenshot highlighting GoBruteforcer’s Postgres ping.
Figure 12. Postgres ping done by GoBruteforcer malware.

For the FTP Service

When scanning for FTP services, GoBruteforcer checks whether port 21 is open. If the malware finds it open, it tries to authenticate to the server (as shown in Figure 13) using the goftp library, which is an FTP client package for Golang.

Image 13 is a screenshot highlighting GoBruteforcer’s attempt at an FTP login as it tries to authenticate to the server.
Figure 13. FTP login attempt.

Upon successful authentication to the victim server, the malware calls the PostResult module.

PostResult Module and Web Shell Connection

Inside GoBruteforcer's PostResult module, which is called after every service scanning module, we observed a hard coded link (query) as shown in Figure 14.

Image 14 is a screenshot highlighting a hard-coded link in the GoBruteforcer binary.
Figure 14. Hard coded link found inside GoBruteforcer binary.

On further investigation into the directories within the victim IP address, we found a web shell named x, (http[:]//victim-ip/x) with SHA256 de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b. This web shell seemed similar to the pst.php PHP file (SHA256 602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665) associated with http[:]//5.253.[.]84[.]159 (see Figure 15).

The PHP web shell had reverse shell and bind shell capabilities, as shown in Figure 15.

Image 15 is a screenshot of the PHP webshell with “Bind Shell” and “Reverse Shell” highlighted.
Figure 15. Bind shell and reverse shell capabilities inside webshell.

Along with these capabilities, the web shell also has a packet crafter (shown in Figure 16) having the options for input like host, start, end port and timeouts for connection and the stream. This gives the attacker the ability to gain more insight into the targeted network.

Image 16 is a screenshot of the PHP webshell highlighting the Simple Packet Crafter along with options to the left.
Figure 16. Simple packet crafter capabilities inside web shell.


GoBruteforcer Makes Advances

During our hunt for the samples related to GoBruteforcer campaign, we found another sample (SHA256 acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834). This is possibly an older version of the GoBruteforcer family that only targeted the phpMyAdmin service in order to infect web servers. The sample was uploaded on VirusTotal some months ago and had 0 detections, as shown in Figure 17.

Image 17 is a screenshot of VirusTotal showing an older version of GoBruteforcer that had no VT detections.
Figure 17. VirusTotal detection: older version of GoBruteforcer.

Conclusion

Web servers have always been a lucrative target for threat actors. Weak passwords could lead to serious threats as web servers are an indispensable part of an organization. Malware like GoBruteforcer takes advantage of weak (or default) passwords.

The GoBruteforcer bot comes with a multiscan capability, which gives it a wide range of targets that it can use to get into a network. GoBruteforcer also seems to be in active development, so attackers could change the techniques they use to target web servers in the near future.

Palo Alto Networks customers receive protections from malware families like GoBruteforcer and its malicious components with Cortex XDR or the Next-Generation Firewall with cloud-delivered security services including WildFire and Advanced Threat Prevention. Alongside this, Advanced URL Filtering and DNS Security can block the command and control (C2) domain and malware hosting URLs.

Indicators of Compromise

Hashes

de7994277a81cf48f575f7245ec782c82452bb928a55c7fae11c2702cc308b8b  Web shell
602129f00bb002f07db07affa78d46f67bd0b2c8fb0867ea2da5fc3e73dd2665 Web shell
acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834  Older version of GoBruteforcer
426b573363277554c7c8a04da524ddbf57c5ff570ea23017bdc25d0c7fd80218  IRC bot(x86)
726ccd223a1cfb60fc6c3b48ea3dbf057da918efac5acf620cd026ee38fb0044  IRC bot(ARM)
526767fbb26c911601371745d603885b75deabcc18261ed2d5a509d58f95d28e GoBruteforcer (x86_64)
dd3555025957cd51cd048d920027a0ff2d5501bc85792529217d54086e9351c2 GoBruteforcer (x86_64)
df7dc0fe7e90a2414ac188c55d06ad3882cfc7394869c9ffa549fb1ddb304919 GoBruteforcer (x86_64)
ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84 GoBruteforcer (x86_64)
5548935e7c6cf3b38240a0579cac36906e9883a1ec5e85335609e9e2062588c5 GoBruteforcer ARM(64-bit)
5627b138bc857081d2251edd7eb3b68cbd58dfff2f51b7cd34c893fffff2cfab GoBruteforcer ARM(64-bit)
5c1d3fb43e9e35b835e62e05a7b97ed66ab132eab35bfc18ce543e8f58ccf5e2 GoBruteforcer ARM(32-bit)
7c27ac0daba19de227fcc467abfcdefa99426c768a3601b1b181e9741717665b GoBruteforcer (x86)

URL and IP

  • 5.253[.]84[.]159/x
  • fi[.]warmachine[.]su

Updated March 14, 2023, at 6:20 a.m. PT to correct port numbers in Figure 1. 

Tags

Table of Contents

Related Articles

Related Malware Resources

Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face.
category iconThreat Research

FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
Read now Right arrow
Pictorial representation of a threat like the Bring Your Own Vulnerable Driver (BYOVD) technique. Image of computer code on a screen with a prominent biohazard symbol.
category iconThreat Research

TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit
Read now Right arrow
Pictorial representation of a campaign like Contagious Interview. Digital graphic of a glowing globe with network connections and data streams, symbolizing global connectivity and technology advancements.
category iconThreat Research

Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
Read now Right arrow
A pictorial representation of machine learning detecting vulnerability scanning. A Black man using a tablet with a background of illuminated city buildings at night.
category iconThreat Research

Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning
Read now Right arrow
Pictorial representation of keylogger malware like KLogEXE and FPSpy. Person working on a laptop with lines of code displayed on the screen, with a blurred effect indicating motion or activity, surrounded by a vivid blue and red lighting.
category iconThreat Actor Groups

Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
Read now Right arrow
Pictorial representation of SnipBot. Digital abstract background featuring binary code and technology symbols with a blue glow in the shape of a skull.
category iconThreat Research

Inside SnipBot: The Latest RomCom Malware Variant
Read now Right arrow
A pictorial representation of a red team tool like Splinter. A digital illustration showing a 3D brain model surrounded by rising data columns on a circuit board, representing advanced artificial intelligence technology.
category iconThreat Research

Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool
Read now Right arrow
Pictorial representation of APT groups from North Korea. The silhouette of two fish and the Pisces constellation inside an orange abstract planet, surrounded by two larger blue fish. Abstract, stylized cosmic setting with vibrant blue and purple shapes, representing space and distant planetary bodies.
category iconThreat Actor Groups

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Read now Right arrow
Illustrative image featuring two fish and the Pisces constellation superimposed on a stylized, abstract background with flowing purple waves and a starry night sky.
category iconHigh Profile Threats

Threat Assessment: North Korean Threat Groups
Read now Right arrow
Pictorial representation of Stately Taurus' updated TTPs. Illustration of a bull's head and the Taurus constellation inside a stylized orange moon, set against the profile of a much larger bull's head. Shooting stars are on the dark background.
category iconThreat Actor Groups

Chinese APT Abuses VSCode to Target Government in Asia
Read now Right arrow
Enlarged Image

Default Heading

Read the article Right Arrow