Originating from China, the malware that previously infected only Linux systems now also targets Microsoft servers to mine Monero.
There is nothing new about hackers writing malware in the Golang (Go) programming language to steal data from victims and avoid detection. However, in the current variant of attack, instead of targeting end users, servers across both Windows and Linux machines are hit.
Although the volume of attacks is low because the variant is so new, they have already been detected from seven source IP addresses so far, all based in China.
The new variant of ‘Golang’ malware works by attacking web application frameworks, application servers, as well as non-HTTP services such as Redis and MSSQL. Its main goal is to mine Monero cryptocurrency using a known miner, XMRig. The malware spreads as a worm, searching and infecting other vulnerable machines.
Previously only hit Linux systems
Earlier variants of this malware targeted only Linux machines, but this new iteration also attacks Windows machines and uses a new pool of exploits, in some cases targeting the ThinkPHP web application framework, which is popular in China. Similar to other families of malware, this malware will presumably keep evolving, employing more and more exploits.
Said James Forbes-May, Vice President, Barracuda, Asia-Pacific: “In order to protect against this new malware variant, it’s crucial to make sure you have a properly configured web application firewall in place. This malware variant spreads by scanning the internet for vulnerable machines. Many organizations overlook application security, but it’s still a top threat vector that cybercriminals look to exploit.”
Forbes-May advises IT teams to make sure their system is up-to-date on patches and updates; and they should have a solution in place to monitor for this kind of activity, understand how this malware variant works and know the warning signs.