GoBruteforcer is a new kind of botnet malware that is written in Golang, and targets web servers, specifically those running phpMyAdmin, MySQL, FTP and Postgres services. The following information is based on samples discovered by researchers in March 2023.
The GoBruteforcer malware employs a systematic approach to identify vulnerable systems by scanning for phpMyAdmin, MySQL, FTP, and Postgres services on each targeted IP address. Upon discovering an open port, the malware uses hard-coded credentials to attempt an unauthorized login. Once it gains access, the malware installs an internet relay chat (IRC) bot on phpMyAdmin systems or a PHP web shell on servers running other targeted services. Then, the malware contacts its command-and-control server and awaits instructions, which it receives through the installed IRC bot or web shell.
To expand its attack surface, GoBruteforcer uses a multi-scan module that searches for potential targets within a Classless Inter-Domain Routing (CIDR). Before initiating the scan for IP addresses, the malware selects a CIDR block and targets all IP addresses within that range. This approach allows the malware to target a diverse range of hosts on different IP addresses, amplifying the impact of the attack.