Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign

by Augusto Remillano II and Mark Vicente

We found a Golang-based spreader being used in a campaign that drops a cryptocurrency miner payload. Golang, or Go, is an open source programming language that has been recently associated with malware activity. Trend Micro has been detecting the use of the spreader since May and saw it again in a campaign this month.

The spreader used in this campaign scans for machines running vulnerable software to propagate. The campaign’s attack chain is detailed below.

Technical details

The Golang-based spreader
This malware looks for several entry points to spread to other systems. It not only uses the common SSH service, but also several exploits. It does this using the Golang-based spreader (which Trend Micro detects as Trojan.Linux.GOSCAN.BB) that scans for the following:

• SSH
• Misconfigured Redis server
• ThinkPHP exploit
• Drupal exploit
• Atlassian Confluence server (CVE-2019-3396)

A snapshot of the spreader’s code (shown in Figure 2) shows that it scans for a Redis port.

Aside from using misconfigured Redis ports, the malware can also infect servers through vulnerable web applications, particularly ThinkPHP and Drupal. The code in the image below shows that it scans for CVE-2019-3396, a vulnerability in Atlassian’s Confluence server that was previously seen being used to distribute a different cryptocurrency-mining malware.

And finally, it also propagates through SSH ports, as seen in the code snapshot below.

Other components
Once the malware reaches the system, it will connect to Pastebin to download the dropper component (detected as Trojan.SH.SQUELL.CC). The dropper will then download and extract a TAR file from mysqli[.]tar[.]gz. The TAR file contains the miner payload, the Golang-based scanner, and other necessary components, enumerated below:

• Configuration file for the miner components
• Trojan.SH.SQUELL.CB that will execute the miner and scanner
• The Golang-based spreader
• The miner
• File used to determine the malware’s installation status

Aside from executing the miner and the scanner, Trojan.SH.SQUELL.CB performs several other actions. It tries to infect other systems through SSH. It disables security tools and clears command history and logs. It also kills previously ongoing cryptocurrency mining activities (if there were any) by blocking network traffic, and killing their processes. For persistence, it installs itself as a service in the system. It also sets up a cron job that will download and execute the latest version of the malware from Pastebin. All these activities are shown in the code snapshots below.

Conclusion and security recommendations

This isn’t the first time a Golang-based script has been used for a campaign. As mentioned earlier we’ve been seeing the same Golang-based spreader since May, used also for a different cryptocurrency-mining malware. The Go programming language was also used in a data stealer malware earlier this year, as reported by Malwarebytes.

Go provides cybercriminals with easy cross-platform development, allowing them to infect both Linux and Windows machines. However, this characteristic is not unique to the programming language. Cybercriminals are possibly turning to Golang to make the analysis of their malware more difficult, as it’s not as commonly used for malware as compared to other languages.

Whatever the reason, users can take steps to reduce the effectivity of a similar campaign by strengthening their network security and defenses. Here are some steps users can take to defend against similar threats.

• Applying the necessary patches and updates as soon as they become available
• Being mindful of the methods attackers use to spread malware and tailor defenses against them
• Changing system and device settings with security in mind to prevent unauthorized access

Trend Micro solutions

Trend Micro endpoint solutions such as the Trend Micro Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from threats such as cryptocurrency miners by detecting malicious files and blocking all related malicious URLs. Enterprises can also monitor all ports and network protocols for advanced threats with the Trend Micro Deep Discovery™ Inspector network appliance.

Trend Micro ™ Deep Discovery ™ Inspector protects customers from the mentioned exploits through these rules:

• 2573: MINER – TCP (Request)
• 2626: CVE-2018-7600 – Drupal Remote Code Execution – HTTP (Request)
• 2786: ThinkPHP 5x Remote Code Execution – HTTP (Request)
• 2887: CVE-2019-3396 – ATLASSIAN CONFLUENCE – HTTP (Request)

Indicators of compromise (IoCs):

URLs:

hxxps://pastebin[.]com/raw/xvfxprtb

hxxp://m[.]jianlistore[.]com/images/qrcode/1414297571.jpg

xmr[.]pool[.]minergate[.]com:45700

xmr-eu1[.]nanopool[.]org:14444

xmr-asia1[.]nanopool[.]org:14444

Wallet address:

489N5AAY5igKmcD7gfYxmg6GrGJEXy46HbX23XRTHe1JYiSg4yo9iwBW9XcoCKaJ9xXbwBVSndKerbMvZdwoHMb23QyAFtz

SHA256	Detection name
2acf625f3842a6dfebf3ffa1df565ec48837838bd503a3f6c5f46a7c6564c6c9	Coinminer.Linux.TOOLXMR.AC.component
53622ec8ed5381230734e4695be737ff804ccb3f0e3ba241dda24bb00f37bd4d	Trojan.Linux.GOSCAN.BB
6c3c0cd32e9b78485c5acec11a3d44f7a72a06d90ba0f3bfc260ea9698028797	Trojan.Linux.GOSCAN.BB
84fb31603c05804c17a2c6747927c48f3ef7d03986a50ecc5efe5cf9c9d830f5	Coinminer.Linux.TOOLXMR.AC
9295b6b635cd6e33b8f5589d142d95f7cfcc48abde4193374433fa3a379f0c5a	Trojan.SH.SQUELL.CC
9ea5a0e97e9ddcfce5b068426593de4f6e81fbddde50930c20eee74c779dd7e7	Coinminer.Linux.TOOLXMR.AC
eb3b284bcfce567d059f47df46a777d600499c413e86310c9a95ae8edc8f0156	Trojan.SH.SQUELL.CB