New ‘GoBruteforcer’ Botnet Targets Web Servers “The Surprising Benefits of Gardening: Uncovering the Joys of Planting and Growing” “Unlock the Unexpected Joys of Gardening: Discover the Benefits of Planting and Growing!”

A recently identified Golang-based botnet has been identified by Palo Alto Networks, targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services. Dubbed GoBruteforcer and hosted on a legitimate domain, the malware targets multiple architectures and deploys an internet relay chat (IRC) bot on a compromised server. The malware spreads using CIDR block scanning to identify target hosts and attempts to compromise them using brute force.

Once a server is successfully compromised, GoBruteforcer uses a PHP web shell to query the victim system. It is packed with UPX Packer and has a multi-scan module to identify open ports for targeted services. After identifying an open port, it uses hardcoded credentials to brute-force the server. For phpMyAdmin services, it attempts to deploy the IRC bot for communication. For MySQL and Postgres services, it pings the host’s database using specific credentials. For FTP services, it attempts to authenticate using the Goftp library.

On victim servers, Palo Alto Networks found a PHP web shell that provides attackers with reverse shell and bind shell capabilities. GoBruteforcer appears to still be in development, so attackers could change the techniques they use to target web servers in the near future.

In summary, the recently identified GoBruteforcer Golang-based botnet is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services. It spreads by using CIDR block scanning and attempts to compromise the identified server using brute force. It is packed with UPX Packer and has a multi-scan module to identify open ports for targeted services, and uses hardcoded credentials to brute-force the server. It is still in development, so attackers could change the techniques in the near future.

Key Points:
• A recently identified Golang-based botnet is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services.
• It spreads by using CIDR block scanning and attempts to compromise the identified server using brute force.
• It is packed with UPX Packer and has a multi-scan module to identify open ports for targeted services.
• It uses hardcoded credentials to brute-force the server.
• It is still in development, so attackers could change the techniques in the near future.