New Golang Worm Delivers XMRig Miner on Servers
Early December 2020, researchers discovered a new, previously undetected worm written in the popular Golang, continuing the popular 2020 trend of multi-platform malware developed in the Golang language.
This new worm attempts to spread across the network in order to run the XMRig Miner on a large scale. The malware can target both Windows and Linux servers and can easily spread from one platform to the other. It often targets public facing services, such as MySQL, Tomcat admin panel, and Jenkins, that have weak passwords. In discovered earlier versions, the worm attempted to exploit a WebLogic vulnerability, CVE-2020-14882. While being analyzed by the threat team at Intezer, the attacker continuously updated the worm on the Command and Control server, likely indicating that the worm is still active and could be targeting additional weakly configured services in future updates.
The attack uses three files: a dropper script, either bash or PowerShell, a Golang binary worm, and an XMRig Mine. All of which are hosted on the same C&C. The malware behaves similarly on both Linux and Windows operating systems and ends with the successful installation and execution of the XMRig Miner.
Sources: