New Golang Worm Targets MySQL, Jenkins, Oracle WebLogic and other Public Services

Darkside Ransomware
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

Golang Worm Overview

This report is about a new Golang worm analyzed by Intezer. The Golang worm malware affects both Windows and Linux servers.  It has targeted a variety of public services including MySQL, TomCat, Jenkins, and Oracle WebLogic. At this time no specific threat actor has been named. The goal of Golang worm appears to be installation of the XMRig cryptocurrency miner.

Tactics, Techniques and Procedures

At the time of analysis, all files used in the attack are hosted on a single Command and Control server. Initial access is gained by the Golang worm through the exploit of web facing services previously mentioned. CVE-2020-14882 affecting WebLogic servers is one specific vulnerability exploited by this worm.

To spread, the worm scans the local network for vulnerable services to exploit and monitors network traffic through use of the “gopacket” Go library. Brute force password spraying is used with a built-in dictionary to take advantage of weak credentials. The worm uses a dropper script written in Bash or PowerShell (depending on the respective platform) to install XMRig and spread the malware.

Business Unit Impact

  • Will lead to unauthorized use of system resources for cryptocurrency mining
  • May lead to compromise of internal hosts through subsequently loaded malware
  • May lead to exfiltration of sensitive data

Recommendations

We recommend blocking and monitoring for the IOCs listed in each of the sources referenced and ensuring all public facing servers (WebLogic, MySQL, etc.) are up to date with latest patches. 

IOCs

Avertium brings a guided, risk-based cybersecurity approach to the mid-to-large enterprise. Leveraging NIST CSF and the MITRE ATT&CK framework, Avertium develops customized, outcome-based roadmaps that enable companies to evolve their cybersecurity posture in the face of the cybersecurity talent shortage, rapidly evolving threat landscape and budgetary constraints. 

For information about how we can help, contact an expert to schedule a no-obligation consultation.

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates