An evolved GoBruteforcer botnet variant has been targeting cryptocurrency and blockchain projects in a financially motivated campaign, Check Point reports.
First detailed in 2023, GoBruteforcer targets Linux servers to ensnare them into a scanning and password brute-forcing botnet that focuses on internet-exposed services, including FTP, MySQL, phpMyAdmin, and PostgreSQL.
According to Check Point, there are tens of thousands of web-accessible panels and databases using credentials that have been leaked online, and which are susceptible to GoBruteforcer compromise.
Written in Go, the malware consists of an IRC bot that provides operators with control over the infected systems, and a brute-forcer that scans random public IP ranges and attempts propagation using commonly used credentials.
Also contributing to GoBruteforcer’s propagation, Check Point says, are the use of weak usernames and passwords in fresh deployments powered by AI, and the persistence of legacy web server software stacks.
The cybersecurity firm’s testing showed that different LLMs may use similar, popular default usernames for sample server deployments that could end up in production without proper sanitization.
“Although we do not think that GoBruteforcer specifically targets AI-assisted server installations, the widespread use of LLMs may help the botnet’s attacks become more successful,” Check Point notes.
Another important factor in the botnet’s success is the continued use of web stacks such as XAMPP, which often come with default credentials that act as a backdoor, the cybersecurity firm says.
The botnet’s command-and-control (C&C) server sends instructions regarding the web services to be targeted, along with a list of credentials for brute-forcing. The list is rotated several times per week.
Check Point observed an internet-exposed FTP service on servers running XAMPP being a notable vector for initial compromise in these attacks.
The infection chain continues with the installation of a web shell that provides operators with control over the infected system. The web shell is used to fetch and execute additional payloads, including the IRC bot that also provides host control.
Check Point also discovered that GoBruteforcer has been using crypto-themed usernames in attacks, and also discovered bot modules that specifically iterate TRON blockchain addresses and query balances to identify potential targets of interest.
The botnet operators also deployed utilities that allow them to transfer Binance Smart Chain (BSC) and TRON tokens from their victims to attacker-controlled wallets. Two blockchain wallet addresses recovered by Check Point likely belonged to a legacy blockchain product.
“GoBruteforcer exemplifies a broader and persistent problem: the combination of exposed infrastructure, weak credentials, and increasingly automated tools. While the botnet itself is technically straightforward, its operators benefit from the vast number of misconfigured services that remain online,” Check Point notes.
Related: Kimwolf Android Botnet Grows Through Residential Proxy Networks
Related: RondoDox Botnet Exploiting React2Shell Vulnerability
Related: New ‘Broadside’ Botnet Poses Risk to Shipping Companies
Related: Exposed Docker APIs Likely Exploited to Build Botnet
