Full report by researchers:A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.
The malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.
According to an analysis from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls “Golang,” originally targeted only Linux machines, but now has spread to Windows and other servers.
“This new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,” explained the researchers. They added, “While the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.”