#WeeklyCTI – Golang-Based Botnet Malware "GoBruteforcer" Coming to a Webserver Near You!

12 Comments | script By · 07/06/2023



#WeeklyCTI – Golang-Based Botnet Malware "GoBruteforcer" Coming to a Webserver Near You!

#WeeklyCTI - Golang-Based Botnet Malware "GoBruteforcer" Coming to a Webserver Near You!

Lately, Golang has been gaining steam in the malware development community as the “Go-to” dev language of choice (see what I did there 😁). This week, we have a new Golang-based botnet malware making its rounds and it goes by the name “GoBruteforcer”

Links below.

SecurityWeek Article:
https://www.securityweek.com/new-gobruteforcer-botnet-targets-web-servers/

Unit42 Blog Aricle:
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/

BuyMeACoffee and Support the Channel”
https://www.buymeacoffee.com/daniellowrie

Show Notes:
=================================================
GoBruteForcer
===================

+ **What is GoBruteForcer?**
=========================================
– *Botnet malware* developed in `GoLang`
– *Targets*
+ FTP
+ HTTP
+ phpMyAdmin
+ MySQL
+ Postgres
– *Discovered by Unit42*(PaloAlto)
+ https://unit42.paloaltonetworks.com/
– *Utilizes UPX*
+ Define Packing
+ Demo UPX
– *CIDR Block Scanning*
+ Random CIDR Block scans
– *The Multi-Scan Module*
+ Identifies open ports
– Looking for specific services
+ Hard-Coded Creds for brute-forcing
– *Compromise*
+ via FTP/HTTP/MySQL/Postgres
– Webshell deployed for C2 Comms
+ via phpMyAdmin
– IRC-Bot for C2 Comms
– *GoBruteForcer Binary Storage**
+ Copy of malware stored on compromised server
– `/.x` dir
+ `/.x/86`
+ `/.x/64`
+ `/.x/arm`
+ Filename = **cache_init**

+ **Scanning and System Access**
===================================
– *Multi-Scan Module: Deep-Dive*
+ CIDR Block Scanner
– `x_misc_RandomCIDR`
– `x_misc_GetHosts`
+ Service Scanners
– `x_scanners_phpmyadmin_Check`
– `x_scanners_mysql_Check`
– `x_scanners_ftp_Check`
– `x_scanners_postgres_Check`
+ Port Scanner inside of EVERY Scanner module
+ `x_misc_PortOpen`

– *phpMyAdmin Brute-Force*
+ Malware contains a hard-coded list of creds for brute purposes
+ If brute-force successful
– Deploy IRC-Bot
+ `fb5` (x86_64)
+ `ab5` (ARM)
– IRC-bot connects to IRC server for C2
– Also sets up a **cronjob** for persistence

– *MySQL and Postgres*
+ Checks for open ports
– `3306` (MySQL)
– `5432` (Postgres)
+ Verifies the service with Golang **”db ping”**
– https://github.com/golang/go/issues/27476

– *FTP**
+ Check for open port
– `21`
+ Uses **goftp** module for auth
– https://github.com/jlaffaye/ftp/

– *PostResult Module**
+ Called after every successful Access module
– `x` Webshell
– `pst.php` Webshell
+ **BIND** and **REV** Shells
+ Packet Crafter
– Internal network exploration

+ **Threat Mitigation and Remediation**
========================================
– Change default passwords
– Use strong passwords
– Firewalls
– DNS Sinkhole/Blackhole of known malicious domains/IPs
– IDS/IPS

+ **IoCs**
=========================================

Chapters:
=================================================
00:00 Intro
00:52 GoBruteforcer Overview
05:58 Packing with UPX
11:35 Attack Chain
16:34 CIDR Block Scanning
18:11 Service and Port Scanning
19:58 phpMyAdmin Bruteforce
22:44 IRC Bot for C2
25:20 Cron for Persistence
25:54 MySQL & Postgres Compromise
29:23 FTP Compromise
31:05 WebShell for C2/Shell/Pivoting
35:00 VirusTotal Detection
36:30 IoC and Protection Strategies
37:37 Final Thoughts

=================================================
#cybersecurity #cyberthreats #cyberthreatintelligence #cti #threatintelligence #ethicalhacking #informationsecurity #infosec #malware
#hacker #golang #redteam #blueteam #linux

Comments are closed.

53GB.COM GPTSTORE CPU Yougpt Gptsio Gpt-store-Nav