This report is about a new Golang worm analyzed by Intezer. The Golang worm malware affects both Windows and Linux servers. It has targeted a variety of public services including MySQL, TomCat, Jenkins, and Oracle WebLogic. At this time no specific threat actor has been named. The goal of Golang worm appears to be the installation of the XMRig cryptocurrency miner.
At the time of analysis, all files used in the attack are hosted on a single Command and Control server. Initial access is gained by the Golang worm through the exploit of web-facing services previously mentioned. CVE-2020-14882 affecting WebLogic servers is one specific vulnerability exploited by this worm.
To spread, the worm scans the local network for vulnerable services to exploit and monitors network traffic through the use of the “gopacket” Go library. Brute force password spraying is used with a built-in dictionary to take advantage of weak credentials. The worm uses a dropper script written in Bash or PowerShell (depending on the respective platform) to install XMRig and spread the malware.
We recommend blocking and monitoring for the IOCs listed in each of the sources referenced and ensuring all public-facing servers (WebLogic, MySQL, etc.) are up to date with the latest patches.
Avertium brings a guided, risk-based cybersecurity approach to the mid-to-large enterprise. Leveraging NIST CSF and the MITRE ATT&CK framework, Avertium develops customized, outcome-based roadmaps that enable companies to evolve their cybersecurity posture in the face of the cybersecurity talent shortage, rapidly evolving threat landscape, and budgetary constraints.
For information about how we can help, contact an expert to schedule a no-obligation consultation.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.