by Augusto Remillano II and Mark Vicente
We found a Golang-based spreader being used in a campaign that drops a cryptocurrency miner payload. Golang, or Go, is an open source programming language that has been recently associated with malware activity. Trend Micro has been detecting the use of the spreader since May and saw it again in a campaign this month.
The spreader used in this campaign scans for machines running vulnerable software to propagate. The campaign’s attack chain is detailed below.
The Golang-based spreader
This malware looks for several entry points to spread to other systems. It not only uses the common SSH service, but also several exploits. It does this using the Golang-based spreader (which Trend Micro detects as Trojan.Linux.GOSCAN.BB) that scans for the following:
- Misconfigured Redis server
- ThinkPHP exploit
- Drupal exploit
- Atlassian Confluence server (CVE-2019-3396)
A snapshot of the spreader’s code (shown in Figure 2) shows that it scans for a Redis port.
Aside from using misconfigured Redis ports, the malware can also infect servers through vulnerable web applications, particularly ThinkPHP and Drupal. The code in the image below shows that it scans for CVE-2019-3396, a vulnerability in Atlassian’s Confluence server that was previously seen being used to distribute a different cryptocurrency-mining malware.
And finally, it also propagates through SSH ports, as seen in the code snapshot below.
Once the malware reaches the system, it will connect to Pastebin to download the dropper component (detected as Trojan.SH.SQUELL.CC). The dropper will then download and extract a TAR file from mysqli[.]tar[.]gz. The TAR file contains the miner payload, the Golang-based scanner, and other necessary components, enumerated below:
- Configuration file for the miner components
- Trojan.SH.SQUELL.CB that will execute the miner and scanner
- The Golang-based spreader
- The miner
- File used to determine the malware’s installation status
Aside from executing the miner and the scanner, Trojan.SH.SQUELL.CB performs several other actions. It tries to infect other systems through SSH. It disables security tools and clears command history and logs. It also kills previously ongoing cryptocurrency mining activities (if there were any) by blocking network traffic, and killing their processes. For persistence, it installs itself as a service in the system. It also sets up a cron job that will download and execute the latest version of the malware from Pastebin. All these activities are shown in the code snapshots below.
Conclusion and security recommendations
This isn’t the first time a Golang-based script has been used for a campaign. As mentioned earlier we’ve been seeing the same Golang-based spreader since May, used also for a different cryptocurrency-mining malware. The Go programming language was also used in a data stealer malware earlier this year, as reported by Malwarebytes.
Go provides cybercriminals with easy cross-platform development, allowing them to infect both Linux and Windows machines. However, this characteristic is not unique to the programming language. Cybercriminals are possibly turning to Golang to make the analysis of their malware more difficult, as it’s not as commonly used for malware as compared to other languages.
Whatever the reason, users can take steps to reduce the effectivity of a similar campaign by strengthening their network security and defenses. Here are some steps users can take to defend against similar threats.
- Applying the necessary patches and updates as soon as they become available
- Being mindful of the methods attackers use to spread malware and tailor defenses against them
- Changing system and device settings with security in mind to prevent unauthorized access
Trend Micro solutions
Trend Micro endpoint solutions such as the Trend Micro Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from threats such as cryptocurrency miners by detecting malicious files and blocking all related malicious URLs. Enterprises can also monitor all ports and network protocols for advanced threats with the Trend Micro Deep Discovery™ Inspector network appliance.
Trend Micro ™ Deep Discovery ™ Inspector protects customers from the mentioned exploits through these rules:
- 2573: MINER – TCP (Request)
- 2626: CVE-2018-7600 – Drupal Remote Code Execution – HTTP (Request)
- 2786: ThinkPHP 5x Remote Code Execution – HTTP (Request)
- 2887: CVE-2019-3396 – ATLASSIAN CONFLUENCE – HTTP (Request)
Indicators of compromise (IoCs):