StealthWorker Malware Uses Windows, Linux Bots to Hack Websites

Pierluigi Paganini March 07, 2019

Security experts at FortiGuard uncovered a new malware campaign aimed at delivering the StealthWorker brute-force malware.

The malicious code targets both Windows and Linux systems, compromised systems are used to carry out brute force attacks along with other infected systems.

The malicious code was first discovered by Malwarebytes at the end of February and tracked by malware researchers at Cybaze-Yoroi ZLab as GoBrut.

StealthWorker was linked to hacking campaign aimed at several e-commerce websites running on Magento.
A recent article by Jérôme Segura describes how the bot has been linked to a JavaScript skimmer installation campaign that targeted several web portals in the wild.

The piece of javascript code embedded after the abusive access was able to steal sensitive information such as credentials and credit card numbers (PAN). This attack technique is extremely dangerous and could lead to massive data leak for organizations, as observed back in 2018 when the MageCart group hacked the British Airways infrastructure to install JavaScript skimmers.

Experts at Cybaze-Yoroi Zlab recently obeserved a campaign leveraging a “phpadmin” module, resulting in attacks to thousand of PhpMyAdmin installation all over the internet.

The StealthWorker malware is also able to cPanel Content Management Systems (CMSs), in past campaign it was mainly dropped using the double-packed WallyShack Trojan downloader. In most recent campaigns, threat actors carried out brute force attacks to compromise websites whose administrators used weak or default credentials.

“Additionally, a distributed brute force attack coming from different source IP addresses can effectively bypass anti-brute force solutions, which are usually based on a threshold (e.g., if x failed requests coming from the source, then block the connection for xx minutes).” reads the analysis published by Fortinet.

“The attackers behind this campaign not only target e-commerce websites, but they also attempt to collect all possible vulnerable systems that use weak credentials. Once a vulnerable target host has been confirmed accessible, depending on the system, it can then become another target for embedded skimmers or general data breaches.”

The malicious code gains persistence by creating scheduled tasks on both Windows and Linux machines and copying its code respectively into the Startup folder or to the /tmp folder and setting up a crontab entry.

Once the malware has infected the systems, the malicious code connects the command-and-control (C2) server to inform it that it could accept commands.

The StealthWorker malware is mainly used for checking services running on a targeted server and to launch brute force attacks against them, the malicious code also implements an updating mechanism.

“After being assigned as a worker, the next thing to do is retrieve the tasks to be performed from the C2. A list of hosts and credentials is received from the C2, and the worker’s task is to login to the targeted host.” continues the analysis.

“We can see that every time a request is made to the URL it receives a new set of hosts and credentials. If a login is successful, the worker will report the used host and credentials to the C2 as “saveGood” “

stealthworker malware

Experts pointed out the botnet used to carry out brute force attacks as part of a large distributed campaign could be very effective and dangerous.

“A brute force attack is very resource intensive, but using the collective processing power of a bot army, like the one used by this campaign, the task can be efficiently distributed for a much higher rate of success.” concludes the expert.

“As we have seen in this new StealthWorker campaign, the malware developers have also taken further steps to increase their rate of success by also being able to infect a wider range of platforms.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – StealthWorker , hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment