Golang Spreader Used in Cryptocurrency-Mining Malware Campaign


Golang Spreader Used in Cryptocurrency-Mining Malware Campaign (Jun 28, 2019)

Trend Micro researchers have identified a Golang-based spreader being used in a campaign that drops a cryptocurrency miner payload. Golang is an open-source programming language that has been recently associated with malware activity. The spreader used in this campaign scans for machines running vulnerable vulnerable web applications, particularly ThinkPHP and Drupal to propagate. Cybercriminals are possibly turning to Golang to make the analysis of their malware more difficult, as it’s not as commonly used for malware as compared to other languages. Trend Micro has been detecting the use of the spreader since May 2019 and observed it again in a campaign in June 2019.

Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Cryptocurrency miners cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are running unknowingly. In addition, it is not uncommon for cryptocurrency mining malware to be distributed via malicious plugins/add-ons that impersonate legitimate software. Therefore, it is important that your employees are educated about such tactics and that policies regarding which software are allowed on work machines are in place.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.