Web servers on MySQL, FTP, Postgres, and phpMyAdmin are being targeted by the novel GoBruteforcer malware, which leverages weak credentials to facilitate device compromise, reports BleepingComputer.
After scanning for compatible servers and identifying open ports for connections, GoBruteforcer proceeds to attempt log-ins with hard-coded credentials, which will be followed by the deployment of either an IRC bot or a PHP web shell, a report from Palo Alto Networks' Unit 42 showed.
Researchers found that GoBruteforcer would then communicate with its command-and-control server, leverage a multiscan module to determine more victims, and target all IP addresses in a specific Classless Inter-Domain Routing block to maximize the range of the intrusion.
"We've seen this malware remotely deploy a variety of different types of malware as payloads, including coinminers. We believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future," said researchers.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds