Golang Worm Widens Scope to Windows, Adds Payload Capacity

golang malware cryptomining

A first-stage malware loader spotted in active campaigns has added additional exploits and a new backdoor capability.

A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.

The malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.

According to an analysis from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls “Golang,” originally targeted only Linux machines, but now has spread to Windows and other servers.

“This new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,” explained the researchers. They added, “While the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.”

The bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; CVE-2018-7600 for Drupal, a.k.a. “Drupalgeddon 2.0“; and CVE-2018-20062 for the ThinkPHP framework.

Other exploits that don’t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution “by dumping the db file into cron path,” according to Barracuda.

“Some of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,” according to the report. “As in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.”

A Golang Malware

Notably, the malware is written in the Go language (Golang).

Golang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, which discovered the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.

“Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,” according to F5. That said, in April, another wormable Golang loader known as Kinsing was spotted dropping XMRig onto Docker instances.

Under the Hood

Once the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.

The file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.

Out of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.

“If it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,” explained the researchers.

The scanner file meanwhile is the malware’s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.

For Windows machines, the malware also adds a backdoor user, researchers found – essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.

“Although the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,” Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. “This can be used for deploying additional attacks on the victim’s machine and network, beyond the scope of cryptomining.”

He added, “The cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles