Threat Intel Digest

November 2019

Golang Ransomware Targeting Linux Systems

New programming language Go designed by Google is gaining popularity and is now the new favorite programming platform of malware authors.

A new ransomware written with Go is now attacking Linux systems. Similar to some ransomware, it avoids infecting computers in some locations by filtering out countries, such as Belarus, Russia, and Ukraine. We can only speculate on why some countries are skipped. Likely the malware author is avoiding self infection. The new ransomware uses the AES-256-CFB encryption algorithm to encrypt files and execute its main goal. A closer look reveals that the ransomware is simple, but analysis is a more difficult because the analyzed sample is a stripped Linux executable. Extra work is needed to fully analyze it. Because of its simplicity, the new ransomware seems to be at an early stage of development. We can expect to see more of its kind in the future.


Medical IoT: Helping Patients and Cybercriminals

Medical IoT is another hot topic in security industry. It helps fuel the market with lots of personal and private information about individuals - a good source of exploitable data for malicious actors.

Big data is a trending market not only in the security field. Most of today's industries operate on big data, and IoT devices are some of the best at generating big data. Medical IoT is a specific field that provides access to private and personal information about individuals -- information that should not be in the hands of unauthorized people! Most of these devices are not secured, which makes them a playground for malicious actors. Easy profits are the main driving force for making Medical IoT the vector of streaming financial greediness for the bad guys. You can easily buy and sell medical data on the darknet market. Medical data is more expensive than credit card numbers, but more profitable than any other data. Due to lack of authentication, anyone in close proximity of the IoT device can easily access information about the amount of blood glucose in your body, the hex and bytes equivalent of your blood sugar, and other data. Who does Medical IoT really help, the patients or the bad guys?


Stealth Brute Force Attack on Windows and Linux Machines

A malware campaign that can infect both Windows and Linux machines performs a brute-force attack on target machines - StealthWorker/GoBrut forms a botnet that is used to utilize a multiservice brute-force army.

We initially saw this campaign in March 2019. The malware, also written in Golang, targets commonly used passwords to brutally force its way into weak systems. StealthWorker/GoBrut attacks PhPMyAdmin, which is an open-source administrator tool, to gain access to the system. For persistence, the malware copies itself to the %Startup% folder to ensure that it can survive a reboot. Once everything is in place, the malware connects to its Command and Control Server to identify itself as one of the workers available for the botnet master. StealthWorker/GoBrut has several functions in its arsenal, such as checking for the latest version of the malware, requesting new services, requesting new tasks, and reporting whether a host is valid. It also includes other functionalities. The malware campaign is still active and has effectively utilized its botnet army to optimize the brute-force attack on any system.