Bruteforce bot recruitment uses GoBrut malware on content management systems

News by Rene Millman

Security researchers have discovered a new GoBrut botnet variant and C2 server being used to mount bruteforce attacks on content management systems to recruit new bots.

Security researchers have discovered a new GoBrut botnet variant and C2 server being used to mount attacks on content management systems.

The new GoBrut variant is written in Golang and has also targeted technologies such as SSH and MySQL. Once infected, the host will join the GoBrut botnet and request work from the C2 (Command and Control) server. After work is received the infected host will proceed to bruteforce the targets detailed in the work request sent by the botnet owner.

According to a blog post by researchers at Alert Logic, researchers discovered that this new variant was targeting Unix systems. Previously, the malware had been focusing on Windows systems.

"As a significant portion of the internet runs open source Linux technology stacks, this significantly increases the proportion of the internet at risk. This is backed up by our internal telemetry – in which we have observed attacks from ~11,000 compromised servers originating from approximately 1568 WordPress sites," researchers said.

The malware contacts similar C2 servers as the windows variants, but adds an additional persistence stop of a cronjob.

Further analysis for the malware’s inner workings observed 11,788 unique hosts and peak of 2666 hosts observed in a 24-hour period starting from January 24, 2019. The average bots in operation at one time started at around 500 and has recently (from 19 March 2019) shown a five-fold increase to a peak of 2,666.

"This suggests that the botnet is becoming increasingly successful in its ability to infect and recruit victim hosts. It is important to state that user-agents are not necessarily the most reliable indicator, since they may be changed easily or across different forks. As a result, we expect these numbers to reflect the minimum size rather than the total scale of the botnet," warned researchers.

Researchers were also able to find out how much the botnet was being used by attackers at any one time.

"What was interesting was that we observed an uptick in the amount of WordPress exploitation attempts which matched this pattern – despite us knowing that the botnet is explicitly asking for Magento and phpMyAdmin work," researchers said.

Researchers said that the botnet is growing with one of the most compromised technologies being Wordpress websites.

"If the most successful initial entry vector is assumed to be brute force attacks, then website and server owners should apply access control for remote logins across all services to mitigate the threat," said researchers.

Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that maintaining a published CMS and keeping up with the latest updates is the first line of defence against these attacks.

"CMS have been targeted for years now and the scanning for vulnerabilities has been continuous. The SSH, Telnet and FTP access to CMS servers should be protected by strong passwords and accesses logged while lock out features should be enabled to minimise the risk of account brute forcing or dictionary attacks," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews