New Golang-Based Worm Targets Servers to Mine Monero

Researchers at the security firm Intezer have detected a new Golang-based worm that is targeting Windows and Linux servers with monero cryptomining malware.

The worm, which has been active since early December, typically attempts to inject XMRig malware – increasingly used to mine for cryptocurrency such as monero – within vulnerable servers, the researchers say (see: Kubeflow Targeted in XMRig Monero Cryptomining Campaign). It targets vulnerable, public-facing services such as MySQL, the Tomcat administration panel and the open-source automation Jenkins server that use weak passwords. Plus, it targets a vulnerability in Oracle WebLogic that is tracked as CVE-2020-14882.

Oracle and the U.S. Cybersecurity and Infrastructure Security Agency have previously warned WebLogic users to apply patches for the vulnerability (see: CISA and Oracle Warn Over WebLogic Server Vulnerability).

“During our analysis, the attacker kept updating the worm on the command-and-control server, indicating that it’s active and might be targeting additional weak configured services in future updates,” Avigayil Mechtinger, a security researcher at Intezer, notes in the report.

How It Works

An attack typically starts with the worm attempting to brute force passwords to gain access to a device. Once inside, it uses three separate files to continue its attack. The first is a dropper – either a Bash or PowerShell script. The second is a Golang binary worm, and the third is the XMRig miner. All are hosted on the same command-and-control server, the researchers determined.

During the attack, the worm checks if a process on the infected machine is listening on port 52013 of the targeted server. A listener on this port would function as a mutex – a synchronization mechanism for enforcing limits on access to a resource in an environment where there are many threads of execution. If a listener is not found on the port, a network socket is opened, the…