A new form of malware has been spotted in the wild by cybersecurity companies which say the code’s main focus is the fraudulent mining of the Monero (XMR) cryptocurrency.
Over the past week, various cybersecurity outfits have published reports on the new malware, dubbed Golang, which has already proven itself capable of compromising Linux servers through a variety of propagation methods.
The spreader malware is based on the open-source Go programming language.
An analysis posted by Palo Alto Networks Unit 42 cybersecurity researcher Josh Grunzweig suggests that there has been a steady uptick in the amount of malware being developed in this language for months, but the majority are targeting the Microsoft Windows operating system.
Grunzweig was able to collect over 10,000 unique samples of Go-compiled malware and found the most prominent malware families were Veil, GoBot2, and Hercules. Pentesting, Remote Access Trojans (RATs), and backdoors — the difference between the last two being varying levels of functionality — were the most common developments.
In an analysis of this new Go-based malware, however, Trend Micro researchers Augusto Remillano II and Mark Vicente said the spreader is being used to drop a cryptocurrency miner payload.
The team first detected Golang in May and an ongoing campaign is currently underway. Golang specifically targets Linux-based servers and not only probes for vulnerabilities in target systems but also looks for entry points to propagate on networks.
F5 researchers say that Golang spreads through a total of seven methods; four exploits targeting ThinkPHP, Drupal, and Confluence; the use of SSH and Redis database misconfigurations or credentials, and the subsequent spread to other machines using any SSH keys the malware stumbles across.
A GET request is first sent to ident.me, a service used to return the public IP address of a server. The IP list is then used to search for open ports 80, 20, 8090, and 6397. If any are found, a malicious request is sent to download a payload hosted on Pastebin.
The Redis attack vector is also of interest. If no open ports are found, the malware will automatically try common, simple passwords — such as admin, root, redis, and test — to connect to a vulnerable server.
Golang then uses the FLUSHALL Redis command to wipe the existing database and creates a scheduled task to download the payload in its place.
The spreader will also disable security tools and software, will clear histories and logs, and seeks out any cryptocurrency mining operations already running in order to kill the process — retaining any available CPU power for its own activities. Any process using over 30 percent of the available memory resources will be killed.
To maintain persistence, Golang sets itself up as a cron job and service in the system named mysqlc. The download script is checked and, if necessary, re-executed every 15 minutes.
The malware will also block outgoing traffic on ports 3333, 5555, 7777, and 9999, which F5 says is likely due to these ports being used by other cryptocurrency miners.
Golang’s cryptocurrency miner is XMRig 2.13.1, a well-known Monero mining script. F5 was able to trace the malware to some public pools in which less than $2,000 has been earned so far — but this figure is only based on the wallets the specific miner samples were using and so the number could be higher.
When it comes to attribution, there may be a Chinese link. F5 was able to find a potential connection to a user called “Nidaye222,” of which “ni da ye” in Chinese is either a phrase used for saying uncle — or an insult, depending on the context.
While fraudulent cryptocurrency mining based on stolen computing power remains lucrative, it is unlikely that Golang will be the last new form of mining payload spreader we will come across.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0