A newly discovered and self-spreading Golang-based malware has been actively dropping XMRig cryptocurrency miners on Windows and Linux servers since early December.
This multi-platform malware also has worm capabilities that allow it to spread to other systems by brute-forcing public-facing services (i.e., MySQL, Tomcat, Jenkins and WebLogic) with weak passwords
as revealed by Intezer security researcher Avigayil Mechtinger.
The attackers behind this campaign have been actively updating the worm's capabilities through its command-and-control (C2) server since it was first spotted which hints at an actively maintained malware.
The C2 server is used to host the bash or PowerShell dropper script (depending on the targeted platform), a Golang-based binary worm, and the XMRig miner deployed to surreptitiously mine for untraceable Monero cryptocurrency on infected devices.
"The ELF worm binary and the bash dropper script are both fully undetected in VirusTotal at the time of this publication," Mechtinger said.
