StealthWorker

Researchers discovered a new brute-force malware called StealthWorker that attack Windows & Linux platform via compromised E-commerce websites to steals personal information and payment data.

This Stealthy malware written in Golang language which is very rarely used by malware authors and this language already being used by Mirai botnet develop module.

In this case, E-commerce websites are being compromised by attackers using an embedded skimmer, before that they gain access to their target’s backend.

Threat actors achive this target by exploiting the vulnerabilities in the Content Management System (CMS) or abusing the plugin vulnerabilities.

StealthWorker malware Infection Process

Researchers initially analysing the command and control server (5.45.69[.]149) where they found the /storage directory hosting 5 samples that are intended to brute force the open source admin tool called PhPMyAdmin.

Previous version of this malware only targeted the windows platform but this new version also serves payload binaries to compromised the Linux platform.

Later researchers start analysing one of the sample “PhpMyAdminBrut_Windows_x86.exe” where they found another IP which leads to same web panel login and open directory with the variety of new samples.

These open directories are contains new filenames that indicate to targeting IoT devices with ARM and Mips architectures.

During the execution of StealthWorker malware creates a scheduled execution to make sure the malware stay persist even after victims reboot the system.

In Further analysis researchers use the IDA python script and find the malicious function that is used by this malware and the functions are clearly indicate that the malware targets the various platforms and services including cpanel, Mysql, SSH, Joomla. FTP Etc.

According to Fortinet research, “As we have seen in this new StealthWorker campaign, the malware developers have also taken further steps to increase their rate of success by also being able to infect a wider range of platforms.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Brutespray – Port Scanning and Automated Brute Force Tool

StegCracker – Brute-force Utility to Uncover Hidden Data Inside Files

New Hacking Group Outlaw Distributing Botnet to Scan The Network & Perform Cryptocurrency-Mining & Brute-Force Attack

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack