Cybercriminals are again using programs developed in Go for fraudulent purposes. This time, a new GoLang Malware has been able to infiltrate Linux servers to carry out the illegal mining of cryptocoins.
After its appearance in 2009, Google’s programming language, Go (also called GoLang); has gained great popularity among some users of the digital world. Unfortunately, it has been discovered that cybercriminals are also using Go to write malicious programs capable of evading certain security protocols.
The worst part is that we will probably continue to witness the appearance of several malwares developed in Go; as hackers have found in this language, a simpler way to develop malicious programs difficult to detect.
Do you want to know the details about this new attack? Read on and discover much more.
A new attack now on Linux
Although 10 years have passed since its release, Go has not been a language commonly associated with the development of malicious programs. However, since last year, many companies focused on cybersecurity were able to detect attacks from malware developed in Go.
The use of this language for the development of malicious programs has become so popular that a whole family of malwares created with it has already emerged.
Although 92% of GoLang malware identified by experts is aimed at attacking Windows; lately attacks aimed at compromising Linux servers have been detected.
This is the case of an attack detected recently by F5 Labs researchers, who after some time of study managed to determine that since June 10, 2019; a GoLang Malware has been infecting several thousand machines with the aim of making profits from illegal cryptomining.
The results indicate that the attacker has managed to benefit from at least $2,000 as a product of illegal mining on linux servers. The researchers indicated that this amount may be higher; as they suspect that the cybercriminal may have several active wallets used by his botnet.
How does GoLang Malware work?
According to the results of the investigation, attackers use an online clipboard service called pastebin.com; and another service used to return the public IP address of a server called indent.me.
The report, establishes that the experts identified malicious requests aimed at vulnerabilities in Atlassian Confluence (CVE-2019-3396), ThinkPHP (CVE-2019-9082 and CVE-unassigned), and Drupal (CVE-2018-7600), also known as Druppalgeddon2.
The GoLang malware is able to spread using seven different methods, which include four web application exploits, SSH credential enumeration; Redis database password enumeration, and an attempt to connect other machines using discovered SSH keys.
Once inside the system, GoLang Malware stops any process related to an existing mining operation. In addition, it deletes logs and histories, and disables security tools. One of its main objectives is to hoard all available CPU power; which is why it eliminates any process that uses high levels of memory.
To stay in the system, GoLang Malware is configured as a cron task and service in the system called mysqlc. According also to the report; the malware is hosted on a Chinese e-commerce website that has already been compromised.
Why is GoLang so convenient for malware development?
GoLang also gives you access to a simple compilation environment to create native binaries. This makes it very attractive for cybercriminals who, through this language; are able to create malwares that work on various operating systems.
Precisely because it is a new language and is not normally recognized as being used for malicious purposes, many security systems do not have it on their radar; so cybercriminals can hide with the naked eye, knowing that it will be more difficult for a security program to detect a threat in a language that is unknown.
This is why the experts conclude that we will probably continue to witness the emergence of more GoLang Malware aimed at different objectives.
The good news is that as this new threat advances, experts in cybersecurity solutions are also developing more complete applications; which with the help of technologies such as machine learning will be able to detect this type of malware in a simpler way.
What do you think about this threat? Do you feel that your systems are vulnerable? Do you want to keep your systems completely protected? Then you must use the best tools. Contact us now and get first class security solutions that will allow you to achieve full visibility on your attack surfaces. At GB Advisors we offer you the best software and professional advice on ITsec and ITSM.