A new Golang-based malware named GoBruteforcer has been seen targeting web servers to add to its botnet. It appears to specifically target web servers running phpMyAdmin, MySQL, FTP, and Postgres services within a network.
GoBruteforcer uses CIDR block scanning to check a large number of IP addresses for specific open ports. Once a host is found, GoBruteforcer attempts to gain access to the server via brute force, using a hard-coded set of credentials to try within the binary. If the brute force attack is successful, it deploys an IRC bot that communicates back to the attacker’s infrastructure. The IRC bot is used to execute commands on the system to gather information on it and the network. GoBruteforcer was also seen using a PHP web shell on a compromised system to achieve similar remote command execution as the IRC bot.
GoBruteforcer appears to mainly target Unix-like systems, likely due to the popularity of the operating system for hosting servers. While the initial infection vector for both GoBruteforcer and the PHP web shell is unknown, it is believed that the new malware is still under development and will continue to evolve its feature set.