Researchers from Palo Alto Networks’ Unit 42 have discovered a new botnet malware called GoBruteforcer that targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services.
The malware, which is compatible with x86, x64, and ARM architectures, uses brute force attacks to compromise vulnerable *nix devices with weak or default passwords. Once the malware gains access, it deploys an IRC bot on phpMyAdmin systems or a PHP web shell on servers running other targeted services.
To infiltrate networks, GoBruteforcer uses a multiscan module to scan for potential victims within a Classless Inter-Domain Routing (CIDR). Before scanning for IP addresses to attack, the malware selects a CIDR block and targets all IP addresses within that range.
By using CIDR block scanning, the botnet malware gains access to a diverse range of hosts on various IP addresses, increasing the reach of the attack.
GoBruteforcer is likely under active development, with its operators expected to adapt their tactics and capabilities to stay ahead of security defenses. Researchers have seen the malware remotely deploy various types of malware as payloads, including coinminers.
The researchers also warn that initial infection vectors or payloads could change in the near future, making it even more important for web servers to have strong passwords and security measures in place to prevent cyberattacks.