February 27, 2019 By David Bisson 2 min read

Researchers discovered new Trojan malware written in Golang that’s targeting e-commerce websites with brute-force attacks.

Malwarebytes Labs recently analyzed a newly infected Magento website and found that attackers had injected malicious code into the site’s homepage so that it referenced an external piece of JavaScript. This code used a POST request to exfiltrate victims’ data to googletagmanager[.]eu when they entered their address and payment details.

In their investigation, Malwarebytes researchers found a connection between the compromised e-commerce website and a two-stage payload. The first stage consisted of a Delphi downloader detected as Trojan.Wallyshack. This threat collected basic information about the infected machine, transmitted the data to its command-and-control (C&C) server and ran Trojan.StealthWorker.GO, the second payload that communicated with the infected site. Written in Golang version 1.9, this malware sample contained several functions with the name “Brut” that it used for brute-forcing.

Connections to MageCart and the Rise of Golang Threats

While analyzing the infected website, Malwarebytes observed how this wasn’t the first time that googletagmanager[.]eu has surfaced in an attack campaign. In fact, researchers traced the domain back to criminal activities involving MageCart. This threat actor has affected more than 800 organizations by compromising their e-commerce websites and stealing customers’ payment card details, as noted by RiskIQ.

At the same time, this brute-forcer comes amid a rise of Golang-based digital threats. In January 2019, for example, Malwarebytes Labs detected Trojan.CryptoStealer.Go, an information stealer written in this budding programming language. Just a month before, researchers at Palo Alto Networks’ Unit 42 came across a Golang variant of Zebrocy, an attack tool used by the Sofacy threat group.

How Security Teams Can Defend Against Brute-Forcers

Security professionals can help defend against brute-force attacks by shielding their network perimeter against outside intrusion with firewalls and identity-based security such as identity and access management (IAM). Additionally, security teams should implement consistent software patching so they can close off known vulnerabilities.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today