Bruteforce malware probes login for popular web platforms
An aggressive tool hitting a sizable number of popular web services and platforms is trying to bruteforce its way in with login combinations obtained from parsing metadata from the target.
The malware looks for various systems for managing content, databases, and file transfers as well as backup files and administrator login paths.
Hitting CMS and services
In an analysis published today, Akamai Security Researcher Larry Cashdollar provides technical details on a piece of malware that is similar to Stealthworker, a Golang-based bruteforce tool that was analyzed in the past by Malwarebytes and Fortinet.
The version analyzed by Cashdollar targets cPanel, widely deployed CMS including WordPress, Drupal, Bitrix, OpenCart, Magento, and services like MySQL, PostgreSQL, SSH, and FTP. Previous analysis mentions phpMyAdmin, too.
The researcher caught the malware in a honeypot and found that it assigns a role to each infected machine: scanner for other targets or bruteforce the login of an assigned target.
Before getting to this part, though, Cashdollar noticed that the malware installed the free Alternate Lite WordPress theme. The purpose of the theme is unclear but the researcher noticed that the attacker replaced “cutomizer.php” script with a file upload script that allows getting files via POST request or URL.
Another interesting observation is that files other than text will be saved with the extension “.moban.” A WordPress theme with the same name existed, which also had file upload functionality. Cashdollar speculates that the attackers used code from Moban.
Once the files are in place, the malware contact the command and control server to receive a list of targets and login. If the system acts as a scanner, it’ll try to determine if the target is running WordPress, otherwise the machine will get to the bruteforce routine.
Before the attack starts, though, the malware collects basic data from the target to generate a list of credentials.
“The malware parses out tags, like author, email, and other identifiers, to generate these wordlists. Doing so adds an element of personalized targeting towards the victim,” says Larry Cashdollar
Weak authentication has always been a flaw probed in attacks. Hackers use huge lists of login combinations to punch in hoping to get past this barrier.
By using multiple machines to run the login attempts, the attackers are likely hoping to bypass bruteforce protections for an increased number of tries. This also allows them to reach a larger number of compromised hosts.
Gloss