Researchers discovered new Trojan malware written in Golang that’s targeting e-commerce websites with brute-force attacks.
In their investigation, Malwarebytes researchers found a connection between the compromised e-commerce website and a two-stage payload. The first stage consisted of a Delphi downloader detected as Trojan.Wallyshack. This threat collected basic information about the infected machine, transmitted the data to its command-and-control (C&C) server and ran Trojan.StealthWorker.GO, the second payload that communicated with the infected site. Written in Golang version 1.9, this malware sample contained several functions with the name “Brut” that it used for brute-forcing.
Connections to MageCart and the Rise of Golang Threats
While analyzing the infected website, Malwarebytes observed how this wasn’t the first time that googletagmanager[.]eu has surfaced in an attack campaign. In fact, researchers traced the domain back to criminal activities involving MageCart. This threat actor has affected more than 800 organizations by compromising their e-commerce websites and stealing customers’ payment card details, as noted by RiskIQ.
At the same time, this brute-forcer comes amid a rise of Golang-based digital threats. In January 2019, for example, Malwarebytes Labs detected Trojan.CryptoStealer.Go, an information stealer written in this budding programming language. Just a month before, researchers at Palo Alto Networks’ Unit 42 came across a Golang variant of Zebrocy, an attack tool used by the Sofacy threat group.
How Security Teams Can Defend Against Brute-Forcers
Security professionals can help defend against brute-force attacks by shielding their network perimeter against outside intrusion with firewalls and identity-based security such as identity and access management (IAM). Additionally, security teams should implement consistent software patching so they can close off known vulnerabilities.