A new variant of cryptominer malware Golang with possible links to China is being used to target Windows and Linux PCs, researchers at Barracuda Networks found.
Though the volume of the threats detected is still quite low, the researchers managed to recognize seven IP addresses linked to the new variant. Further research revealed the IP addresses were based out of China. This can mean that the attacks originated from China, or the attack was routed through Chinese servers to mask the actual source of the attack. It is a typical practice among hacker groups.
According to Barracuda Networks, Golang malware targets both Windows and Linux systems by attacking web application frameworks, application servers, and non-HTTP services such as Redis and MSSQL, instead of going after the end users.
Some of the exploits used by operators behind Golang were found to be targeting ThinkPHP web application framework, which is popular in China. An exploit is a program that finds and takes advantage of a security flaw in an application or system.
After infiltrating the system, Golang malware downloads multiple files such as Init/update script, a miner, a watchdog, a scanner, and a config file for the cryptominer. The files downloaded vary depending on the operating system on the device. For instance, on Windows PCs the malware also adds a backdoor. Once the files are downloaded, the malware starts mining the Monero cryptocurrency using XMRig, a known miner program.
“Malicious actors are once again turning to Golang as a malware language since it is not commonly tracked by antivirus software. As it targets vulnerable servers, it is still a top threat vector that cybercriminals look to exploit. However, we can defend organisations against this malware by monitoring the endpoints for suspicious activity as well as the surge in CPU usage, which is associated with most cryptominers,” Fleming Shi, CTO at Barracuda Networks said in a statement.
Barracuda advises that organizations should have a web application firewall in place and configure it properly as the malware spreads by scanning the internet for vulnerable devices. Security patches and updates should also be kept handy if any vulnerability is detected.