Researchers discovered a new brute-force malware called StealthWorker that attack Windows & Linux platform via compromised E-commerce websites to steals personal information and payment data.
This Stealthy malware written in Golang language which is very rarely used by malware authors and this language already being used by Mirai botnet develop module.
In this case, E-commerce websites are being compromised by attackers using an embedded skimmer, before that they gain access to their target’s backend.
StealthWorker malware Infection Process
Researchers initially analysing the command and control server (5.45.69[.]149) where they found the /storage directory hosting 5 samples that are intended to brute force the open source admin tool called PhPMyAdmin.
Previous version of this malware only targeted the windows platform but this new version also serves payload binaries to compromised the Linux platform.
Later researchers start
These open directories are contains new filenames that indicate to targeting IoT devices with ARM and Mips architectures.
During the execution of StealthWorker malware creates a scheduled execution to make sure the malware stay persist even after victims reboot the system.
In Further analysis researchers use the IDA python script and find the malicious function that is used by this malware and the functions
According to Fortinet research, “As we have seen in this new StealthWorker campaign, the malware developers have also taken further steps to increase their rate of success by also being able to infect a wider range of platforms.”