A new and self-spreading Golang-based malware has been discovered by researchers that have been continuing the trend of multi-platform malware which we saw in 2020. This new crypto-mining malware exploits known vulnerabilities to exploit the victim’s resources.
The Golang Worm
Both Windows and Linux servers are targeted by the newly identified Golang worm targets and it can easily move from one platform to the other.
- Three files are used in the attack – a dropper script (bash or PowerShell), a Golang-based worm, and an XMRig miner on the exploited service.
- Public-facing services such as Jenkins, MySQL, and Tomcat admin panel that have weak passwords are targeted by the worm.
- In addition to it, an older version of the worm attempted to exploit the latest Oracle WebLogic remote code execution vulnerability (CVE-2020-14882).
- Using TCP SYN to launch credential spraying brute force attack, the malware scans the networks and spreads across it.
Recently a multi-platform credit card skimmer was detected, which could harvest payment info on compromised stores running on popular e-commerce platforms, including Shopify, BigCommerce, Zencart, and Woocommerce. In another case, PyMICROPSIA was identified targeting Windows, however, its code was found to have snippets that could target additional operating systems, such as POSIX or darwin, making it a potential multi-platform threat.
Given the rise of such multi-platform malware, organizations are advised to use defense in-depth strategies to protect against such cyber threats by our internal experts. Furthermore, Users should use complex passwords, limit login attempts, and use multi-factor authentication to protect against such cyber-threats.
To read more, please check eScan Blog
