New Golang Worm targets MySQL, Jenkins, Oracle WebLogic and other public services

Golang Worm Overview

This report is about a new Golang worm analyzed by Intezer. The Golang worm malware affects both Windows and Linux servers.  It has targeted a variety of public services including MySQL, TomCat, Jenkins, and Oracle WebLogic. At this time no specific threat actor has been named. The goal of Golang worm appears to be the installation of the XMRig cryptocurrency miner.

Tactics, Techniques, and Procedures

At the time of analysis, all files used in the attack are hosted on a single Command and Control server. Initial access is gained by the Golang worm through the exploit of web-facing services previously mentioned. CVE-2020-14882 affecting WebLogic servers is one specific vulnerability exploited by this worm.

To spread, the worm scans the local network for vulnerable services to exploit and monitors network traffic through the use of the “gopacket” Go library. Brute force password spraying is used with a built-in dictionary to take advantage of weak credentials. The worm uses a dropper script written in Bash or PowerShell (depending on the respective platform) to install XMRig and spread the malware.

Business Unit Impact

• Will lead to unauthorized use of system resources for cryptocurrency mining
• May lead to compromise of internal hosts through subsequently loaded malware
• May lead to exfiltration of sensitive data

Recommendations

We recommend blocking and monitoring for the IOCs listed in each of the sources referenced and ensuring all public-facing servers (WebLogic, MySQL, etc.) are up to date with the latest patches. 

IOCs

• We recommend blocking all IOCs in the below OTX pulse:
  • https://otx.alienvault.com/pulse/5feb60952727181f048bce60

Sources

• https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers

MITRE Mapping(s):

• Initial Access: https://attack.mitre.org/tactics/TA0001/
  • Exploit Public-Facing Application: https://attack.mitre.org/techniques/T1190/
  • Drive-by Compromise: https://attack.mitre.org/techniques/T1189/
• Execution: https://attack.mitre.org/tactics/TA0002/
  • Command and Scripting Interpreter: Unix Shell: https://attack.mitre.org/techniques/T1059/004/
  • Command and Scripting Interpreter: PowerShell: https://attack.mitre.org/techniques/T1059/001/
• Discovery: https://attack.mitre.org/tactics/TA0007/
  • Network Service Scanning: https://attack.mitre.org/techniques/T1046/
  • Network Sniffing: https://attack.mitre.org/techniques/T1040/
• Credential Access: https://attack.mitre.org/tactics/TA0006/
  • Brute Force: Password Spraying: https://attack.mitre.org/techniques/T1110/003/
• Defense Evasion: https://attack.mitre.org/tactics/TA0005/
  • Hijack Execution Flow: DLL Side-Loading: https://attack.mitre.org/techniques/T1574/002/
• Impact: https://attack.mitre.org/tactics/TA0040/
  • Resource Hijacking: https://attack.mitre.org/techniques/T1496/

Avertium brings a guided, risk-based cybersecurity approach to the mid-to-large enterprise. Leveraging NIST CSF and the MITRE ATT&CK framework, Avertium develops customized, outcome-based roadmaps that enable companies to evolve their cybersecurity posture in the face of the cybersecurity talent shortage, rapidly evolving threat landscape, and budgetary constraints. 

For information about how we can help, contact an expert to schedule a no-obligation consultation.

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.