A new Golang malware is in the wild that targets Windows and Linux systems alike. This Golang worm can spread quickly as it transforms that infected machines into crypto miners.
Golang Worm Dropping XMRig
Researchers from Intezer have shared insights about the newly discovered Golang worm in their recent post.
As revealed, the new malware is written in Golang and targets both Windows and Linux systems. The main aim of this malware is to drop XMRig miners on infected devices to mine Monero on a large-scale.
To achieve a large-scale infection, the malware possesses wormable capabilities. It means it can spread laterally via public-facing services to other devices, especially, the ones with weak passwords, such as MySQL, Tomcat admin panel, and Jenkins. Though, the older malware versions could also exploit the vulnerability CVE-2020-14882 affecting Oracle WebLogic.
The attack precisely involves three components – a dropper script, Golang binary (worm), and XMRig miner.
Briefly, upon reaching the target device, the malware first checks if the device is listening on port 52013. If found, the malware kills itself right away. If not, then the malware opens its network socket on the port and the infection executes. The malware drops the worm and the XMRig Miner on the target Linux or Windows systems.
Detailed technical analysis of the malware is available in the researchers’ post.
Suggested Mitigations
According to Intezer, they found zero detections of the malware on VirusTotal when they shared the analysis.
Therefore, users need to adopt preventive security measures to fend-off this attack.
For this, the researchers advise deploying strong passwords with 2FA, limiting login attempts, reduce the use of public-facing services, keeping the software updated, and to use cloud workload protection.
While the malware trended in 2020, the researchers believe that this Golang malware trend will continue in 2021 as well.