Quick Look At GoScan Linux Server Cryptomining Malware
The words “Linux” and “cryptojacking” are the two words we usually do not see in the same sentence. But it seems like cybercriminals are expanding beyond the traditional Windows computers these time, for the purpose of maximizing profits through crypto mining using infected Linux servers this time. Josh Grunzweig of the prolific Palo Alto Unit 42 team has been researching about the growth of Go-based malware. Go, a short name for GoLang was a new programming language introduced by Google ten years ago, which turned-out to be a malware programming-friendly language. Since then, Grunzweig and his team in Unit 42 discovered 10,700+ specimens of unique GoLang-based malware from the wild. The growth of this decade-old language as a friendly platform for cross-platform malware development has been outstanding.
Windows has been heavily targeted, with 92% of all GoLang malware actively targeting the PC platform, the most identifiable families were HERCULES, Veil and GoBot2. Ethical hackers were also benefited in the side line, as some of their tools designed for pen testing, such as covert RATs were written in Go language. “Certainly one of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms, including Windows, OSX, and Linux. This allows an attacker to focus on a single codebase that can be used to infect victims on various platforms, versus other programming languages that might require an attacker to have three different code repositories,” explained Grunzweig.
According to Grunzweig, Go language strictly uses statistically-linked libraries for all programs developed. The advantage of it, the guarantee that the program will run regardless if the required libraries are installed in the system. Compiled GoLang-based malware samples collected by Unit42 averages around 4.65MB, the bloat is caused by statistically-linking of libraries. Due to size, the malware using GoLang can be developed to be cross-platform by default. With certain portion of the malware operating under Windows, Linux and Mac.
“In certain circumstances, anti-virus products may ignore files, or be unable to scan them, in the event they are too large. This was witnessed in the past in targeted attacks involving the Comnie malware family, where the malware authors appended 64MB of garbage data to their files in an attempt to circumvent anti-virus products,” added Grunzweig.
In full acknowledgement, a crypto mining malware made from GoLang has been detected by TrendMicro infecting Linux servers. Meticulously named as Trojan.Linux.GOSCAN.BB, it is a variant of a Windows-based coin miner malware that take advantage of multiple exploits in SSH, Drupal, Atlassian Confluence server and ThinkPHP bug. In its initial run, fetch a dropper component, named Trojan.SH.SQUELL.CC. The dropper’s only job is to download the actual miner payload in TAR format; it comes with an innocently sounding name mysqli.tar.gz, the code it contains does the actual Monero-mining process.
Once the coin miner process is confirmed running and solving hashes, it will then use SSH to attempt infecting other Linux servers on the network. SSH server service is only installed by default on Linux-server distributions, as desktop Linux only has SSH client installed, used for connecting to Linux with SSH server service enabled.