Heimdal Security released an advisory for its customer base, users, partners, and clients in a matter that involved the emergence of a botnet that has infected thousands of sites. The botnet StealthWorker (GoBrut) has managed a large number of attacks in a very short time, via brute-forcing the target's internet-facing NAS devices and web servers. For the infected devices, Heimdal says that they will be used in future botnet campaigns for exploiting more hosts. GoBrut is not a botnet novelty exactly.
It was involved in the August 2021 campaign against Synology's NAS devices, however, its origin can be traced back to February 2019, when malware launched various brute-force attacks against poorly secured CMSs, including Magento. In terms of design, GoBrut is scripted in Golang, a popular programming language in the hacker communities and pen testers because of its flexibility, coding efficiency two IP addresses, and reasonable learning curve. In Synology's case, the payload was distributed via JS injection or something similar.
Once the distribution was tagged as successful, the malware begins to collect resources, finding the ones vulnerable to brute force. The reason why botnet StealthWorker had impressive success is rooted in how few CMSs manage password hygiene. In various incidents, leaked credentials were default user-password pairs, which hints that no measures were taken to make the passwords strong. Regarding the intrusion, the credentials accessed via distributed dictionary-based brute-forcing were given to a C2 panel hosted on a secondary 'attack' address, for C2 performing functions.
A surprising thing is that GoBrut is also capable of backtracking user admin login paths and extracting backup file locations. Heimdal Security says "the botnet StealthWorker is the very embodiment of the saying: “simpler is better”. Although heavily reliant on volumetric attacks, this malware has managed to rake up numerous hits by leveraging sub-par authentication mechanisms."
