Monday, December 4, 2023

StealthWorker Brute-force Malware Attack on Windows & Linux Platform Via Hacked E-commerce Websites

Researchers discovered a new brute-force malware called StealthWorker that attack Windows & Linux platform via compromised E-commerce websites to steals personal information and payment data.

This Stealthy malware written in Golang language which is very rarely used by malware authors and this language already being used by Mirai botnet develop module.

In this case, E-commerce websites are being compromised by attackers using an embedded skimmer, before that they gain access to their target’s backend.

Threat actors achive this target by exploiting the vulnerabilities in the Content Management System (CMS) or abusing the plugin vulnerabilities.

StealthWorker malware Infection Process

Researchers initially analysing the command and control server (5.45.69[.]149) where they found the /storage directory hosting 5 samples that are intended to brute force the open source admin tool called PhPMyAdmin.

Previous version of this malware only targeted the windows platform but this new version also serves payload binaries to compromised the Linux platform.

Later researchers start analysing one of the sample “PhpMyAdminBrut_Windows_x86.exe” where they found another IP which leads to same web panel login and open directory with the variety of new samples.

These open directories are contains new filenames that indicate to targeting IoT devices with ARM and Mips architectures.

During the execution of StealthWorker malware creates a scheduled execution to make sure the malware stay persist even after victims reboot the system.

In Further analysis researchers use the IDA python script and find the malicious function that is used by this malware and the functions are clearly indicate that the malware targets the various platforms and services including cpanel, Mysql, SSH, Joomla. FTP Etc.

According to Fortinet research, “As we have seen in this new StealthWorker campaign, the malware developers have also taken further steps to increase their rate of success by also being able to infect a wider range of platforms.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Brutespray – Port Scanning and Automated Brute Force Tool

StegCracker – Brute-force Utility to Uncover Hidden Data Inside Files

New Hacking Group Outlaw Distributing Botnet to Scan The Network & Perform Cryptocurrency-Mining & Brute-Force Attack

Troldesh Ransomware Spreading Via Weaponized Word Document and RDP Brute-force Attack


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles