StealthWorker Brute Force Malware Ataques Linux e Windows
CYBER NEWS

StealthWorker Brute Force Malware Ataques Linux e Windows

O malware StealthWorker está sendo espalhada em uma nova campanha visando Linux e Windows. Note-se que as versões anteriores do malware única como alvo a plataforma Windows, but a deeper look into the open directory of the latest version revealed that it now also serves payload binaries for Linux.

The malware is coded in Golang – the programming language used to create the module that controlled Mirai bots, FortiGuard Labs researchers said in a new report.




What Is StealthWorker? Visão geral técnica

StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details”, the researchers said in a dedicated report.

relacionado: Brute Force Attacks – a Threat to Encryption

In this type of attacks, malware is usually exploiting vulnerabilities in content management systems or their plugins to get access to the targeted system. Another approach is using brute force attacks – a method which is quite effective against weak or commonly used admin passwords.

It is should be mentioned that StealthWorker has been previously associated with Magento-powered e-commerce websites.

atualmente, the malware can take advantage of a range of security flaws in Magento, phpMyAdmin, and cPanel CMS systems. In addition to these exploits, the malware can apply brute force techniques. De fato, the latest campaigns of StealthWorker are entirely based on brute force attacks used for entry.

Once a server is hacked, it can become another target for embedded skimmers or general data breaches, os pesquisadores disseram.

The malware is also capable of creating scheduled tasks on both Windows and Linux systems to gain persistence by copying itself in the Comece pasta, a /tmp folder and setting up a crontab entry.

Once all needed steps are completed and the target has been included to the botnet, the malware proceeds with connecting to its command and control server.

Dynamically running the malware, it starts a series of http requests aimed to register the bot to the discovered server. The GET request parameters contains the “phpadmin” value in a quite interesting “worker” field, clear reference of the notorious “PhpMyAdmin” database administration tool, widely deployed across the internet and too many times unnecessarily exposed to the internet.

As for the brute force model, it is meant to to attempt to login into target services using credentials retrieved from the command and control server.

Mais especificamente, the routine named “StartBrut” has the purpose to prepare the credentials retrieved from the command and control server. Então, the subroutine “TryLogin” connects to the target host, tries to authenticate using provided credentials and waits for the server response, segundo o relatório.

relacionado: MagentoCore: o mais agressivo infecta Skimmer 60 Lojas por dia

At the time of writing the report, the researchers identified 40,000 unique destinations potentially under attack:

The distribution of the Top Level Domains shows half of the targets are the “.com” and “.org” ones, surprisingly followed the by Russian TLD, and other Eastern Europe targets. Central and Southern Europe seems are targeted too but with in a lower portion, atualmente.

Full technical disclosure is available in o relatório oficial.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...