The StealthWorker malware is currently being spread in a new campaign targeting both Linux and Windows. Note that previous versions of the malware only targeted the Windows platform, but a deeper look into the open directory of the latest version revealed that it now also serves payload binaries for Linux.
The malware is coded in Golang – the programming language used to create the module that controlled Mirai bots, FortiGuard Labs researchers said in a new report.
What Is StealthWorker? Technical Overview
“StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details”, the researchers said in a dedicated report.
In this type of attacks, malware is usually exploiting vulnerabilities in content management systems or their plugins to get access to the targeted system. Another approach is using brute force attacks – a method which is quite effective against weak or commonly used admin passwords.
It is should be mentioned that StealthWorker has been previously associated with Magento-powered e-commerce websites.
Currently, the malware can take advantage of a range of security flaws in Magento, phpMyAdmin, and cPanel CMS systems. In addition to these exploits, the malware can apply brute force techniques. As a matter of fact, the latest campaigns of StealthWorker are entirely based on brute force attacks used for entry.
Once a server is hacked, it can become another target for embedded skimmers or general data breaches, the researchers said.
The malware is also capable of creating scheduled tasks on both Windows and Linux systems to gain persistence by copying itself in the Startup folder, the /tmp folder and setting up a crontab entry.
Once all needed steps are completed and the target has been included to the botnet, the malware proceeds with connecting to its command and control server.
Dynamically running the malware, it starts a series of http requests aimed to register the bot to the discovered server. The GET request parameters contains the “phpadmin” value in a quite interesting “worker” field, clear reference of the notorious “PhpMyAdmin” database administration tool, widely deployed across the internet and too many times unnecessarily exposed to the internet.
As for the brute force model, it is meant to to attempt to login into target services using credentials retrieved from the command and control server.
More specifically, the routine named “StartBrut” has the purpose to prepare the credentials retrieved from the command and control server. Then, the subroutine “TryLogin” connects to the target host, tries to authenticate using provided credentials and waits for the server response, the report said.
At the time of writing the report, the researchers identified 40,000 unique destinations potentially under attack:
The distribution of the Top Level Domains shows half of the targets are the “.com” and “.org” ones, surprisingly followed the by Russian TLD, and other Eastern Europe targets. Central and Southern Europe seems are targeted too but with in a lower portion, currently.
Full technical disclosure is available in the official report.