Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign

by Augusto Remillano II and Mark Vicente

We found a Golang-based spreader being used in a campaign that drops a cryptocurrency miner payload. Golang, or Go, is an open source programming language that has been recently associated with malware activity. Trend Micro has been detecting the use of the spreader since May and saw it again in a campaign this month.

The spreader used in this campaign scans for machines running vulnerable software to propagate. The campaign’s attack chain is detailed below.

Figure 1. The attack infection chain

Technical details

The Golang-based spreader
This malware looks for several entry points to spread to other systems. It not only uses the common SSH service, but also several exploits. It does this using the Golang-based spreader (which Trend Micro detects as Trojan.Linux.GOSCAN.BB) that scans for the following:

  • SSH
  • Misconfigured Redis server
  • ThinkPHP exploit
  • Drupal exploit
  • Atlassian Confluence server (CVE-2019-3396)

A snapshot of the spreader’s code (shown in Figure 2) shows that it scans for a Redis port.

Figure 2. Code showing the use of Redis

Aside from using misconfigured Redis ports, the malware can also infect servers through vulnerable web applications, particularly ThinkPHP and Drupal. The code in the image below shows that it scans for CVE-2019-3396, a vulnerability in Atlassian’s Confluence server that was previously seen being used to distribute a different cryptocurrency-mining malware.

Figure 3. Code showing the use of several vulnerabilities

And finally, it also propagates through SSH ports, as seen in the code snapshot below.

Figure 4. Code showing the use of SSH to propagate

Other components
Once the malware reaches the system, it will connect to Pastebin to download the dropper component (detected as Trojan.SH.SQUELL.CC). The dropper will then download and extract a TAR file from mysqli[.]tar[.]gz. The TAR file contains the miner payload, the Golang-based scanner, and other necessary components, enumerated below:

  • Configuration file for the miner components
  • Trojan.SH.SQUELL.CB that will execute the miner and scanner
  • The Golang-based spreader
  • The miner
  • File used to determine the malware’s installation status

Aside from executing the miner and the scanner, Trojan.SH.SQUELL.CB performs several other actions. It tries to infect other systems through SSH. It disables security tools and clears command history and logs. It also kills previously ongoing cryptocurrency mining activities (if there were any) by blocking network traffic, and killing their processes. For persistence, it installs itself as a service in the system. It also sets up a cron job that will download and execute the latest version of the malware from Pastebin. All these activities are shown in the code snapshots below.

Figure 5. Code showing the use of SSH to infect other systems

Figure 6. Code showing how the malware disables security tools

Figure 7. Code showing the command to clear history and logs

Figure 8. Code showing the malware eliminating other possibly installed miners in the system

Figure 9. Code showing the persistence mechanisms of the malware

Conclusion and security recommendations

This isn’t the first time a Golang-based script has been used for a campaign. As mentioned earlier we’ve been seeing the same Golang-based spreader since May, used also for a different cryptocurrency-mining malware. The Go programming language was also used in a data stealer malware earlier this year, as reported by Malwarebytes.

Go provides cybercriminals with easy cross-platform development, allowing them to infect both Linux and Windows machines. However, this characteristic is not unique to the programming language. Cybercriminals are possibly turning to Golang to make the analysis of their malware more difficult, as it’s not as commonly used for malware as compared to other languages.

Whatever the reason, users can take steps to reduce the effectivity of a similar campaign by strengthening their network security and defenses. Here are some steps users can take to defend against similar threats.

  • Applying the necessary patches and updates as soon as they become available
  • Being mindful of the methods attackers use to spread malware and tailor defenses against them
  • Changing system and device settings with security in mind to prevent unauthorized access

Trend Micro solutions

Trend Micro endpoint solutions such as the Trend Micro Smart Protection Suites and Worry-Free![™](upload://i37LNJilZJqDABNdtpur9g75TG.png) Business Security can protect users and businesses from threats such as cryptocurrency miners by detecting malicious files and blocking all related malicious URLs. Enterprises can also monitor all ports and network protocols for advanced threats with the Trend Micro Deep Discovery![™](upload://i37LNJilZJqDABNdtpur9g75TG.png) Inspector network appliance.

Trend Micro ![™](upload://i37LNJilZJqDABNdtpur9g75TG.png) Deep Discovery ![™](upload://i37LNJilZJqDABNdtpur9g75TG.png) Inspector protects customers from the mentioned exploits through these rules:

  • 2573: MINER – TCP (Request)
  • 2626: CVE-2018-7600 – Drupal Remote Code Execution – HTTP (Request)
  • 2786: ThinkPHP 5x Remote Code Execution – HTTP (Request)
  • 2887: CVE-2019-3396 – ATLASSIAN CONFLUENCE – HTTP (Request)

Indicators of compromise (IoCs):







Wallet address:


SHA256 Detection name
2acf625f3842a6dfebf3ffa1df565ec48837838bd503a3f6c5f46a7c6564c6c9 Coinminer.Linux.TOOLXMR.AC.component
53622ec8ed5381230734e4695be737ff804ccb3f0e3ba241dda24bb00f37bd4d Trojan.Linux.GOSCAN.BB
6c3c0cd32e9b78485c5acec11a3d44f7a72a06d90ba0f3bfc260ea9698028797 Trojan.Linux.GOSCAN.BB
84fb31603c05804c17a2c6747927c48f3ef7d03986a50ecc5efe5cf9c9d830f5 Coinminer.Linux.TOOLXMR.AC
9295b6b635cd6e33b8f5589d142d95f7cfcc48abde4193374433fa3a379f0c5a Trojan.SH.SQUELL.CC
9ea5a0e97e9ddcfce5b068426593de4f6e81fbddde50930c20eee74c779dd7e7 Coinminer.Linux.TOOLXMR.AC
eb3b284bcfce567d059f47df46a777d600499c413e86310c9a95ae8edc8f0156 Trojan.SH.SQUELL.CB


The post Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign appeared first on .

Article Link: http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/HaSduAzHDWw/