Threat Research

GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers

Securonix

GoBruteforcer is a Golang-based botnet that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres, using CIDR-range scanning and brute-force login to gain access. It then deploys an IRC-based C2 bot, a web shell, and persists via cron, with ongoing development likely to modify infection vectors. #GoBruteforcer #phpMyAdmin

Keypoints

  • GoBruteforcer is a Golang-based malware targeting web servers hosting phpMyAdmin, MySQL, FTP, and Postgres services.
  • The malware uses a multiscan module to scan IPs within a CIDR block to identify targets.
  • Brute-forcing login attempts use hard-coded credentials embedded in the binary after checking if the service port is open.
  • On successful access, it deploys an IRC bot (x86_64 and ARM variants) for command and control with the attacker’s URL.
  • The bot registers in cron for recurring execution and facilitates C2 traffic via an IRC channel.
  • The GoBruteforcer architecture includes UPX-packed samples and a web shell component with reverse/bind capabilities and a simple packet crafter.

MITRE Techniques

  • [T1046] Network Service Scanning – “multiscan module … to scan for the hosts inside a CIDR for its attack.”
  • [T1078] Valid Accounts – “tries to login and get access to the victim server via brute force. To do this, the malware uses a set of credentials that is hard coded into the malware binary.”
  • [T1095] Non-Application Layer Protocol – “communication between the command and control channel (C2) and the victim server via the IRC bot.”
  • [T1053] Scheduled Task – “the IRC bot also registers itself inside cron for recurring execution.”
  • [T1027] Obfuscated/Compressed Files – “The GoBruteforcer malware samples are packed with UPX Packer.”

Indicators of Compromise

  • [Hash] GoBruteforcer binaries – ebe11121aafdac5d8f2eecba710ba85efa31617a5eb825ba2e89e23379b26b84, acc705210814ff5156957c028a8d6544deaca0555156504087fdc61f015d6834, and 2 more hashes
  • [URL/Domain] C2 hosting and web access – 5.253[.]84[.]159/x, fi[.]warmachine[.]su
  • [File Name] Web shell and related components – x (web shell), pst.php (PHP web shell file)

Read more: https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/?web_view=true

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint