A recently identified Golang-based botnet is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services, Palo Alto Networks reports.
Dubbed
GoBruteforcer and found hosted on a legitimate domain, the malware targets multiple architectures, including x86 and ARM, and was seen deploying an internet relay chat (IRC) bot on a compromised server, for communication purposes.
The malware spreads using classless inter-domain routing (CIDR) block scanning to identify target hosts within a network, and then attempts to compromise the identified server using brute force.
Upon successful compromise, it deploys the IRC bot on the server. At a later stage, it uses a PHP web shell to query the victim system.
GoBruteforcer, which appears to still be in development, is packed with UPX Packer and has a multi-scan module it uses to identify open ports for targeted services. Once a port is identified, it uses hardcoded credentials to brute-force the server.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}