A new brute-force malware which goes by the name of StealthWorker
was recently uncovered. This malware allegedly uses compromised e-commerce websites
to steal personal data.
The platforms that have majorly been affected by this
malware are Linux and windows.
Personal information and payment data are the basic motivations
behind these malware attacks.
The malware is written in a very unique and rarely used
language “Golang” which is already being used by the Mirai botnet development module.
To make all this happen the e-commerce websites are first
compromised by employing an embedded skimmer.
The vulnerabilities of the websites are manipulated by
either battering the plugin vulnerabilities or making use of a Content
Management System (CMS).
The malware emerged while the researchers were analyzing the
command and control server (5.45.69[.]149).
That’s where they found the storage directory with samples
intending to brute force a source admin tool.
There have been previous versions of this malware which had
only windows on their radar.
But the latest version happens to have server payload
binaries to get into Linux as well.
One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe”
where an IP was found which led to a web panel login with an array of new samples.
Some open directories were also found which comprised of new
file names which indicated towards IoT devices with ARM and Mips structures.
StealthWorker works on a routine execution to ensure that
the malware stays even after the system’s rebooted.
The researchers also used the IDA python script to look for
other f malicious functions.
Out of research it was also found out that other platforms and
services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH
and others.
Furthermore, other major moves are also being made on the
part of the cyber-cons towards infecting an extensive variety of platforms.