Researchers observed an attack campaign that uses a Golang-based spreader to distribute cryptocurrency-mining malware.
According to Trend Micro, the malware sought out entry points as a means of spreading to other systems by using a Golang-based spreader — detected as Trojan.Linux.GOSCAN.BB — that scanned for various server weaknesses, including a ThinkPHP exploit and Drupal exploit. It also arrived with the ability to propagate through SSH ports.
Upon reaching a targeted system, the attack campaign connected to Pastebin to download a dropper component, detected as Trojan.SH.SQUELL.CC. This element extracted a TAR file from mysqli[.]tar[.]gz that contained the Golang spreader, a cryptocurrency miner and Trojan.SH.SQUELL.CB. Once loaded, Trojan.SH.SQUELL.CB set to work disabling security tools, clearing command history and logs, and killing existing cryptocurrency mining operations in support of the campaign’s miner payload.
Tracking Golang-Based Threats in 2019
Golang-based threats have been lurking in the wild throughout the first half of 2019. In January, Malwarebytes detected a simple stealer written in Golang. Two months later, Yoroi uncovered GoBrut, a Golang-based botnet, just a few days before Anomali Labs observed the Rocke threat group using a Go-based dropper. Approximately one month later, QuickHeal Labs detected JCry, a Golang-based family of ransomware.
How to Monitor for Cryptocurrency-Mining Malware
Security professionals can help defend their organizations against cryptocurrency-mining malware by using a unified endpoint management (UEM) tool to monitor endpoints for suspicious activity, including a surge in central processing unit (CPU) usage, which is associated with most cryptominers. Robust, regularly tested incident response plans can help teams quickly minimize the threat in the event of a cryptojacking attack.