An updated version of the brute-force malware StealthWorker has been discovered by security researchers. The new version amasses an army of bots to brute force its way into infecting e-commerce sites and content management systems.
According to a blog post by researchers at Fortinet, the malware has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details.
The malware discovered by Malwarebytes at the end of February, is exploiting several vulnerabilities to infect Magento, phpMyAdmin, and Content Management Systems (CMSs). The new malware targets Windows and Linux platforms.
A compromised machine is the turned into a bot and connects to a C2 server. This can then take part in distributed brute force attack campaigns.
"After being assigned as a worker, the next thing to do is retrieve the tasks to be performed from the C2. A list of hosts and credentials is received from the C2, and the worker’s task is to login to the targeted host," said Rommel Joven of Fortinet.
Joven said that a brute force attack is very resource intensive, but using the collective processing power of a bot army, like the one used by this campaign, the task can be efficiently distributed for a much higher rate of success.
"As we have seen in this new StealthWorker campaign, the malware developers have also taken further steps to increase their rate of success by also being able to infect a wider range of platforms," he said.
He added that the attackers behind this campaign not only target e-commerce websites, but they also attempt to collect all possible vulnerable systems that use weak credentials. "Once a vulnerable target host has been confirmed accessible, depending on the system, it can then become another target for embedded skimmers or general data breaches," he added.
Chris Boyd, lead malware analyst at Malwarebytes, told SC Media UK that protecting a CMS involves many steps: the webhost, the CMS itself or even outdated plugins could be a way for the attacker to make their mark. "In many cases, it's trivial for attackers to figure out which CMS system has been deployed before getting down to business," he said.
"It's also tough to defend against distributed brute force attacks, which is why some webmasters turn to IP whitelisting. This is where they only allow access to critical CMS components from specific IPs, rather than trying to stem the tide by denying access to random IPs after a handful of incorrect logins. There is no easy solution to these attacks, which is why they're currently so popular and a particular bugbear for smaller businesses who may not have the budget or expertise to lock everything down."
"Brute force password attacks generally aren't quite as 'brute' as just starting at AAA...AAA and going through to ZZZ...ZZZ," Paul Ducklin, senior technologist at Sophos, told SC Media UK.
"They generally try the most obvious passwords first - passwords like 'changeme', 'yourusername99' or '123456789'. So, the longer and more random your password, the later in the list it's likely to be tried, and the less likely it is to get brute-forced. So, guess what? Pick a proper password! Using a password manager helps, because it can remember the text '46jnZHveie#4mAt' just as easily as you can remember 'password99'. And use two-factor authentication, too, so even if the brute-force attack eventually figures out your password some time in 2027, it won't have the one-time code it will then need to complete its login."