Golang malware is exploiting thousands of Linux servers for mining Monero cryptocurrency

Golang malware

According to a research report released by F5 Labs, a hacker organization is using new Golang malware to attack Linux-based servers. The Golang malware was first discovered in mid-2018 and the attack lasted throughout 2019. At the moment, researchers have noticed the latest operations, which have infected about a thousand machines since the attack on June 10.

The researchers said that hackers use the cryptonight algorithm to mine XMR. The attacker’s income is less than $2,000. “However, this information is based only on the wallets our specific miners were using. It could be that the attacker has several wallets used by different parts of his botnet.”

The report said:

“The malware campaign propagates using 7 different methods: 4 web application exploits (2 targeting ThinkPHP, 1 targeting Drupal, and 1 targeting Confluence), SSH credentials enumeration, Redis database passwords enumeration, and also trying to connect other machines using found SSH keys.”

Image: f5

The report shows that malware activity spreads in seven different ways, including four web application vulnerabilities, SSH credential enumeration, Redis database password enumeration, and attempts to connect to other computers by using discovered SSH keys. Since Golang is usually not detected by anti-virus software, malicious attackers have begun to use it as a malware language.