Full Report
GoBruteforcer is a new kind of botnet malware that is written in Golang, and targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The following information is based on samples discovered by researchers in March 2023.The GoBruteforcer ma...
Analysis Summary
# Tool/Technique: GoBruteforcer
## Overview
GoBruteforcer is a newly discovered botnet malware written in Golang, designed to compromise web servers running specific database and web services, primarily targeting credentials through brute-forcing. Upon successful compromise, it installs a secondary payload (IRC bot or PHP web shell) to establish command and control and execute further instructions.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Web Servers (Linux/Various OS hosting the targeted services)
- Capabilities: Credential brute-forcing, service scanning (MySQL, FTP, PostgreSQL, phpMyAdmin), C2 communication, payload installation (IRC bot or PHP web shell).
- First Seen: March 2023 (based on samples discovered)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing: Remote Services (Used against FTP, MySQL, etc.)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Likely used via the PHP web shell communication)
## Functionality
### Core Capabilities
- **Targeted Scanning:** Systematically scans IP addresses using CIDR blocks to identify hosts running vulnerable services: phpMyAdmin, MySQL, FTP, and PostgreSQL.
- **Credential Guessing:** Employs hard-coded credentials to attempt unauthorized logins against the discovered services (Bruteforcing).
- **Payload Delivery:** Installs persistent access mechanisms upon successful compromise:
- IRC bot on compromised phpMyAdmin systems.
- PHP web shell on other targeted services (MySQL, FTP, Postgres).
- **C2 Communication:** Communicates with a command-and-control server via the established payload (IRC or web shell) to receive further instructions.
### Advanced Features
- **Multi-scan Module:** Features a module that selects and scans entire CIDR blocks to amplify the attack surface and target a diverse range of hosts rapidly.
- **Golang Implementation:** Written in Golang, which aids in cross-platform compilation and potentially evasion characteristics.
## Indicators of Compromise
- File Hashes: N/A (Information not provided in the text)
- File Names: N/A (Information not provided in the text)
- Registry Keys: N/A (Information not provided in the text, likely targeting non-Windows systems)
- Network Indicators: N/A (Specific C2 addresses not detailed, but communication involves IRC and HTTP/S via web shells)
- Behavioral Indicators: Attempts to authenticate using hard-coded credentials against MySQL, FTP, and PostgreSQL ports; installation of PHP web shells or IRC clients on compromised hosts.
## Associated Threat Actors
- GoBruteforcer operator (Specific group name not provided, referred to generically)
## Detection Methods
- Signature-based detection: Signatures for the specific GoBruteforcer binary structure (Golang compilation).
- Behavioral detection: Monitoring for systematic scanning across CIDR blocks targeting common service ports (3306, 21, 5432) and subsequent remote authentication failures followed by suspicious file drop or web shell activity.
- YARA rules: N/A (Information not provided in the text)
## Mitigation Strategies
- **Prevention:** Disable or restrict access to exposed services (MySQL, FTP, PostgreSQL) from the public internet.
- **Hardening Recommendations:** Implement strong, unique passwords for all services (MySQL, FTP). Utilize multi-factor authentication where feasible. Ensure phpMyAdmin installations are secured, updated, and preferably placed behind a VPN or strong access control list (ACL).
## Related Tools/Techniques
- General Bruteforcer tools targeting SSH/RDP.
- Other Golang-based botnets (e.g., Kinsing, Muhstik if they share C2 infrastructure or compilation style).