Malware written in Go programming language has roots almost a decade ago, few years after its first public release back in 2009: starting from InfoStealer samples discovered since 2012 and abused in cyber-criminal campaigns, to modern cyber arsenal like the Sofacy one. Times ago it was considered an exotic way to code a malware, nowadays it became something more common most of the CSIRTs encountered at least once in their lifetime.
In the last month, a particular sample circulated within InfoSec community: it was written in GoLang and showed an interesting behavior, along with unusual binary patterns, for this reason, Cybaze-Yoroi ZLab decided to deepen the investigation.
GoLang programs compilation generates binaries embedding all the required dependencies, it is one of the principal advantages of this programming language because it avoids the need of installed runtimes within the machine, like the Java Runtime or specific .NET version, simplifying the multi-platform support of the Go applications. One of the main characteristic of the Go compiled binaries is the inclusion of the “Go build ID” field into the PE header.
The analyzed samples contains this particular field confirming the malware has been written in Go language, despite the lack of signature match running PE identification tools.
Navigating the assembly we were able to isolate some interesting chunks of code revealing the malicious capabilities of the sample. We detected an inner routine granting the infection persistence after the system reboot, by running the following batch utility script to install a self-copy into the user startup folder (“AutorunDropper” function).
if not exist “C:/Users/admin/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup\svchostphb.exe” copy /Y “C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostphb.exe” “C:/Users/admin/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/svchostphb.exe”
Also, an interesting reference have been found within the RDATA section of this PE binary: a reference to a so called “TryLogin” and “StartBrut” routine, suggesting some kind of offensive capabilities, subsequently described in “The BruteForce Module” section.
Another interesting finding during the static analysis of the sample is a specific url value, hardcoded into the binary itself. The remote destination points an netherland Provider, ISPIRIA Networks Ltd, hosting the command and control server of the botnet.
Dynamically running the malware, it starts a series of http requests aimed to register the bot to the discovered server. The GET request parameters contains the “phpadmin” value in a quite interesting “worker” field, clear reference of the notorious “PhpMyAdmin” database administration tool, widely deployed across the internet and too many times unnecessarily exposed to the internet.
After the check-in, the bot queries a JSON object resembling a sort of bag of tasks, where the C2 instructs it to try a huge amount of logins on the retrieved web pages.
The core of the bot is the bruteforce module: it has the task to try to login into target services using credentials retrieved from the C2 server, as described in the previous section.
The routine named “StartBrut” has the purpose to prepare the credentials retrieved from the C2, then subroutine “TryLogin” connects to the target host, tries to authenticate using provided credentials and waits for the server response. During these days the botnet was running a campaign leveraging its “phpadmin” module, resulting in attacks to thousand of PhpMyAdmin installation all over the internet.
At this point, we decided to collect the list of targets under the botnet attack and, at time of writing, we identified 40k unique destinations potentially under attack. The distribution of the Top Level Domains shows half of the targets are the “.com” and “.org” ones, surprisingly followed the by Russian TLD, and other Eastern Europe targets. Central and Southern Europe seems are targeted too but with in a lower portion, currently.
The “.it” domains in the botnet targets list are about 400, including professional forum such as “avvocati[.it”, e-commerce portals, company websites and also banks such as “bancamacerata[.it”. A wide spectrum of organization, the full list is available in the section “Italian Targets”.
Digging further into the investigations, we found out this new GoLang bot supports a lot more features, not only for “PhpMyAdmin” one. In fact, we discovered the bot supports 23 functionalities able to target a range of technologies from administrative protocols to CMSes, for instance it is capable to attack SSH logins, FTP sites, exposed MySql service and the two most used CMSes, WordPress and Joomla. Here the list of discovered functionalities:
The attack campaigns are pretty dynamic and may change quickly over the time, further analysis pointet to a specific command and control API where the botnet master enables or disables running offensive operation through the “/project/active” server location. Thus, the bots is instructed of which are the current active campaigns and technologies to be targeted.
The usage of emergent, uncommon, languages and technologies for malware writing is a weapon can be leverage by the attackers to defeat traditional anti-virus based security controls: compilation patterns and artifacts may evade static signature and general heuristics detection. For this reason the security perimeter must include appropriate analysis capabilities to detect and handle this kind of threats.
Also, this new “GoBrut” botnet provides a precious insight of the kind of threat insecure logins and unnecessary exposure are subject to. Showing how cyber-crime actors are able to run wide international criminal operations aimed to opportunistically penetrate organizations, to abuse its infrastructure and steal users logins and sensitive data.
Technical details, including IoCs and Yara Rules, are available in the analysis published