Golang Worm Targeting Linux Servers


A new Golang Worm is targeting both Linux and Windows servers with monero crypto mining malware.

A new worm, based on Golang, has been discovered in the wild (since early December, 2020) which attempts to inject XMRig malware to mine for cryptocurrency. The worm targets public-facing services, such as MySQL, the Tomcat admin panel, Jenkins, and Oracle WebLogic.

According to Avigayil Mechtinger, a security research with Intezner, "the attacker kept updating the worm on the command-and-control server, indicating that it's active and might be targeting additional weak configured services in future updates."

The worm begins with a brute force attack. Once the worm gains access to a server, it works with three separate files:

  • A Bash or PowerShell script (depending on the operating system).
  • The Golang binary worm.
  • XMRig miner.

So far the Bash and Golang binary worm have been undetectable by virus analysis platforms, so it's particularly dangerous.

The best way to mitigate such an attack is to employ both 2FA and strong passwords on your Linux servers. Also, make sure to run (and apply) updates daily. 

The Golang language is being used more frequently for such attacks, so expect more similar malware to hit the Linux platform in the near future.

For more information on this new worm, check out this detailed look into how it works.

comments powered by Disqus