
A new malware called GoBruteforcer has been found targeting web servers running phpMyAdmin, MySQL, FTP, and Postgres to corral the devices into a botnet. This malware is mainly designed to single out Unix-like platforms running x86, x64 and ARM architectures, with GoBruteforcer attempting to obtain access via a brute-force attack using a list of credentials hard-coded into the binary. If the attack proves to be successful, an internet relay chat (IRC) bot is deployed on the victim server to establish communications with an actor-controlled server. GoBruteforcer also leverages a PHP web shell already installed in the victim server to glean more details about the targeted network.
This is just the latest example of a malware using brute-force attacks to target web servers. These attacks can be very difficult to defend against because they often exploit weak or stolen credentials. The best way to defend against these attacks is to use strong, unique passwords for all of your servers and to regularly monitor your server logs for suspicious activity.