While the volume is still low, the researchers have recognised only seven IP addresses linked to this new malware variant so far, all based out of China. It has also been noticed that the Golang malware focuses on attacking web application frameworks, application servers, and non-HTTP services such as Redis and MSSQL, instead of targeting the end-users.
The previous variants of the malware have targeted only Linux machines, the Golang variation is also attacking Windows machines using a new pool of exploits like Oracle WebLogic, ElasticSearch, Drupal, Hadoop and IoT devices. “For example, some of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China. As in other families of malware, it is safe to assume that this malware will keep evolving, employing more and more exploits,” said the company in a statement.
Once the Golang malware infects a machine, it downloads the files like an Init/update script, a miner, a watchdog, a scanner, and a config file for the cryptominer, based on the platform it is attacking. For Windows machines, the malware also adds a backdoor user.
“Malicious actors are once again turning to Golang as a malware language since it is not commonly tracked by antivirus software. As it targets vulnerable servers, it is still a top threat vector that cybercriminals look to exploit. However, we can defend organisations against this malware by monitoring the endpoints for suspicious activity as well as the surge in CPU usage, which is associated with most cryptominers. The threat of any future cryptojacking attack can be minimized by setting up vigorous, regularly tested incident response plans,” said Fleming Shi, CTO, Barracuda Networks.