• F5 researchers uncovered a cryptominer campaign delivering new Golang malware that targets Linux-based servers.
• Golang malware is not often seen in the threat landscape; it was first seen to mid-2018 and has continued throughout 2019.
• The malware campaign propagates using 7 different methods: 4 web application exploits (2 targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), SSH credentials enumeration, Redis database passwords enumeration, and also trying to connect other machines using found SSH keys.
• The operation appeared to start around June 10, the first exploit requests were seen around June 16, and the botnet is currently estimated to include several thousand infected machines.
• The attacker uses the online clipboard service pastebin.com to host the spearhead bash script.
• The malware is hosted on an already compromised Chinese ecommerce website.
• Several indicators, like the Pastebin and GitHhub usernames and the cloned projects, might imply that the attacker is a Chinese speaker.
• The GitHub account was created a few days ago and cloned a Golang-based vulnerability scanner project, indicating that the attacker is still experimenting.

Finding the Malware

On June 14, 2019, F5 researchers detected malicious requests targeting vulnerabilities in ThinkPHP (CVE-2019-9082 and CVE-unassigned), Atlassian Confluence (CVE-2019-3396), and Drupal (CVE-2018-7600) also known as Druppalgeddon2. The payload delivered in the request tries to spread by sending the same exploits, and by trying to connect with several hardcoded credentials to Redis services and also via SSH.  The ultimate goal of the payload is to install a cryptominer and target other servers through the methods mentioned above. Some of these vulnerabilities are common targets, however, the delivered malware in this campaign was written in Go (Golang), a newer programming language not typically used to create malware.

At the time of writing, this sample appears to be from a new kind of malware, not being picked up by many antivirus vendors. Those which detect it classify it as a generic one.

Malicious actors are beginning to turn to Golang as a malware language since it is not typically picked up by antivirus software. Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware. One of the earlier Golang samples was analyzed and published beginning of January 2019. This sample caught by F5 researchers is different from the Go variant of the Zebrocy tool, and the stealer analyzed by MalwareBytes.

Go is a compiled programming language designed at Google. Applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. This, along with the unique way that Go calls functions and stores symbols and data, pose a different challenge when reversing malware samples written in Go.

Propagation Methods

This cryptominer campaign delivering new Golang malware specifically targets Linux-based servers and propagates in seven different ways. Campaigns that install crypto miners are fairly common, so the large number of propagation techniques is quite a unique feature. The seven methods it uses for propagation are 4 exploits targeting web applications (2 exploits targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), enumeration of SSH credentials enumeration, enumeration of Redis database credentials, and attempts to connect other machines using found SSH keys.