Golang malware infecting Windows, Linux servers with XMRig miner

Golang malware has been active since last month targeting both Linux and Windows-based servers.

Multi-platform malware is a bit more dangerous than others since it could infect various operating systems at the same time. An example of one such in the latest is of a Golang based malware.

The malware has been actively involved in installing the XMRig miner on both Windows and Linux servers since the start of December 2020 in order to mine cryptocurrencies.

These servers are targeted based on the fact that they are public-facing in the form of MySQL databases or Tomcat admin panels for example combined with poor security practices.

Discovered by cybersecurity researchers at Intezer; the malware operates with the help of 3 main files that reside on a C2 server:

  1. A script based on either Bash or Powershell to drop the malware
  2. A Golang based binary worm
  3. The XMrig miner in itself



Since the first 2 (Linux version ones) have been found to be undetected on virus analysis platforms like VirusTotal, it shows us that it has managed to successfully evade security filters.

Explaining further on how the malware operates, the researchers state in a blog post that,

Upon execution, the worm checks if a process on the infected machine is listening on port 52013. The existence of a listener on this port functions as a mutex for the malware. If a socket for the port is already open, the instance exits, otherwise it opens a network socket on the port.

…The malware will scan the network using TCP SYN in order to find services it can brute force and spread over the network. It will scan for IPs that have open ports related to these services: 8080 for Tomcat and Jenkins, 3306 for MySQL and 7001 for WebLogic on older versions of the worm. Each of these exploits has a package under the src “exp” (exploit) code.

On the other hand, if potential victims wish to protect themselves, it is important that they employ strong authentication measures such as 2FA along with robust passwords as well.

Furthermore, they should update the software being run as soon as possible since previous versions tend to have bugs at times which opens up another avenue for attackers to exploit.

To conclude, currently, we can expect more similar malware in the future and so it remains important for cybersecurity organizations to adapt to this threat.

You may also like...