Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks.

As unearthed by FortiGuard Labs' Rommel Joven, the StealthWorker Golang-based brute forcer (also known as GoBrut) discovered by Malwarebytes at the end of February is actively being used to target and compromise multiple platforms.

StealthWorker was previously connected to a number of compromised Magento-powered e-commerce websites on which attackers infiltrated skimmers designed to exfiltrate both payment and personal information.

As later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.

Infection and communication process

While previously the StealthWorker payload was observed while being dropped on targeted servers with the help of the double-packed WallyShack Trojan downloader, the new campaign switched to a brute force-only approach aiming for any vulnerable host with weak or default credentials.

After a server has been hacked into, the FortiGuard Labs security researcher says that "depending on the system, it can then become another target for embedded skimmers or general data breaches."

Once on a compromised machine, the malware will create scheduled tasks on both Windows and Linux to gain persistence by copying itself in the Startup folder or to the /tmp folder and setting up a crontab entry respectively.

When everything is in place and the victim's computer was transformed into a botnet zombie, the malware connects to its command-and-control (C2) server letting it know that it's ready to start working.

Besides being able to request tasks as a worker in active brute force projects as part of the distributed brute force attack campaign, the StealthWorker malware is also capable of updating itself.

The attackers use the StealthWorker bots mainly for checking what services are running on a targeted server and to brute force their way in as shown in the table below.

"After being assigned as a worker, the next thing to do is retrieve the tasks to be performed from the C2. A list of hosts and credentials is received from the C2, and the worker’s task is to login to the targeted host. [..] If a login is successful, the worker will report the used host and credentials to the C2 as 'saveGood'," says Joven.

While brute force attacks are not new, using a botnet's zombies as part of a large distributed campaign of such attacks isn't something we see every day.

This approach allows the attackers to increase their rate of success by automating a very time-consuming process and abuse their victims' computing resources instead of having to use their own most likely limited processing capabilities.

In addition, as Joven concluded, "a distributed brute force attack coming from different source IP addresses can effectively bypass anti-brute force solutions, which are usually based on a threshold (e.g., if x failed requests coming from the source, then block the connection for xx minutes)."