Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began around June 10. The first exploit requests were identified around June 16.
Using the cryptonight algorithm to mine XMR, the attacker has earned less than $2000 USD, a figure based only on the wallets the F5 Labs miners were using. Researchers added that it is possible the attacker has several wallets used by different parts of his botnet.
“F5 researchers detected malicious requests targeting vulnerabilities in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and Drupal (CVE-2018-7600) also known as Druppalgeddon2,” the report said.
The malware campaign reportedly propagates using seven different methods, which include four web application exploits, SSH credentials enumeration, Redis database passwords enumeration, and an attempt to connect other machines through the use of discovered SSH keys.
“Some of these vulnerabilities are common targets, however, the delivered malware in this campaign was written in Go (Golang), a newer programming language not typically used to create malware,” the researchers wrote.
As Golang is not typically detected by anti-virus software, malicious actors have started using it as a malware language. “Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware. One of the earlier Golang samples was analyzed and published beginning of January 2019,” the report said.
To host the spearhead bash script, attackers reportedly use pastebin.com, an online clipboard service. According to the report, the malware is hosted on a Chinese ecommerce website that has already been compromised. Combined with additional indicators, such as the online clipboard, GitHhub usernames, researchers suspect this could be the work of a Chinese speaking attacker.