Golang | Breaking Cybersecurity News | The Hacker News

The threat actors behind the  DDoSia  attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia  said  in a technical write-up. DDoSia is attributed to a pro-Russian hacker group called  NoName(057)16 . Launched in 2022 and a successor of the  Bobik botnet , the attack tool is  designed  for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan. Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different w

A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called  RDStealer . "The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie  said  in a technical report shared with The Hacker News. Evidence gathered by the Romanian cybersecurity firm shows that the campaign – dubbed RedClouds – started in early 2022. The targeting aligns with the interest of China-based threat actors. In the early phases, the operation relied on readily available remote access and post-exploitation tools like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection. A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor

A new Golang-based information stealer called  Skuld  has compromised Windows systems across Europe, Southeast Asia, and the U.S. "This new malware strain tries to steal sensitive information from its victims," Trellix researcher Ernesto Fernández Provecho  said  in a Tuesday analysis. "To accomplish this task, it searches for data stored in applications such as Discord and web browsers; information from the system and files stored in the victim's folders." Skuld, which shares overlaps with publicly available stealers like  Creal Stealer ,  Luna Grabber , and  BlackCap Grabber , is the handiwork of a developer who goes by the online alias Deathined on various social media platforms like GitHub, Twitter, Reddit, and Tumblr. Also spotted by Trellix is a Telegram group named deathinews, indicating that these online avenues could be used to promote the offering in the future as a service for other threat actors. The malware, upon execution, checks if it's

Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called  GobRAT . "Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC)  said  in a report published today. The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection. The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the  .ssh/authorized_keys file  for remote access. GobRAT, for its part, communicates with a remote server via the Transport Layer Security ( TLS ) protocol to receive as many as 22 different encrypted commands for execution. Some of the major commands are as follows - Obt

A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems. That's according to findings from SentinelOne, which observed an increase in the number of Geacon payloads appearing on VirusTotal in recent months. "While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss  said  in a report. Cobalt Strike  is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad capabilities, illegally cracked versions of the software have been abused by threat actors over the years. While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity. In May 2022, software supply chain firm Sonatype  disclosed  details of a rogue Python package called " pymafka "

A new Golang-based botnet dubbed  HinataBot  has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata-<OS>-<Architecture>,'" Akamai  said  in a technical report. Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices ( CVE-2014-8361 )and Huawei HG532 routers ( CVE-2017-17215 , CVSS score: 8.8). Unpatched vulnerabilities and weak credentials have been a low-hanging fruit for attackers, representing an easy, well-documented entry point that does not require sophisticated social engineering tactics or other methods. The threat actors behind HinataBot are said to have been active since at least December 2022, with the

A new Golang-based information stealer malware dubbed  Titan Stealer  is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi  said  in a recent report. Details of the malware were  first documented  by cybersecurity researcher Will Thomas (@BushidoToken) in November 2022 by querying the IoT search engine Shodan. Titan is offered as a builder, enabling customers to customize the malware binary to include specific functionalities and the kind of information to be exfiltrated from a victim's machine. The malware, upon execution, employs a technique known as  process hollowing  to inject the malicious payload into the memory of a legitimate process known as AppLa

Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed  SwiftSlicer . ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer," ESET  disclosed  in a series of tweets. The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was discovered on January 25, 2023, the Slovak cybersecurity company added. "Attackers deployed the SwiftSlicer wiper using Group Policy of Active Directory," Robert Lipovsky, senior malware researcher for ESET, told The Hacker News. "Once SwiftSlicer

Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers. "The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation," SentinelOne  said  in an analysis published today. A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions. The threat actor's end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark's ties to China stem from the use of the  China Chopper  web shell to deploy malware – a widely used attack pathway among Chinese threat actors. Furthermore, not only do the open source tools used in the cyber assaults originate from develope

A persistent Golang-based malware campaign dubbed GO#WEBBFUSCATOR has leveraged the deep field image taken from NASA's James Webb Space Telescope (JWST) as a lure to deploy malicious payloads on infected systems. The development, revealed by Securonix , points to the growing adoption of Go among threat actors, given the programming language's cross-platform support, effectively allowing the operators to leverage a common codebase to target different operating systems. Go binaries also have the added benefit of rendering reverse engineering a lot more challenging as opposed to malware written in other languages like C++ or C#, not to mention prolong analysis and detection attempts. Phishing emails containing a Microsoft Office attachment act as the entry point for the attack chain that, when opened, retrieves an obfuscated VBA macro, which, in turn, is auto-executed should the recipient enable macros. The execution of the macro results in the download of an image file &quo

A new ransomware strain written in Golang dubbed " Agenda " has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand. "Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run," Trend Micro researchers  said  in an analysis last week. Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process. Additionally, the ransomware incorporates techniques for detection evasion by taking advantage of the 'safe mode' feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user's password and enabl

A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. Dubbed  Panchan  by Akamai Security Research, the malware "utilizes its built-in concurrency features to maximize spreadability and execute malware modules" and "harvests SSH keys to perform lateral movement." The feature-packed botnet, which relies on a basic list of default SSH passwords to carry out a  dictionary attack  and expand its reach, primarily functions as a cryptojacker designed to hijack a computer's resources to mine cryptocurrencies. The cybersecurity and cloud service company noted it first spotted Panchan's activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration. Panchan is known to deploy and execute two miners, XMRig and nbhash, on the host

Cybersecurity researchers have unpacked a nascent Golang-based botnet called  Kraken  that's under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. "Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim's system," threat intelligence firm ZeroFox  said  in a report published Wednesday. Discovered first in October 2021, early variants of Kraken have been found to be based on source code uploaded to GitHub, although it's unclear if the repository in question belongs to the malware's operators or if they simply chose to start their development using the code as a foundation. The botnet – not to be confused with a  2008 botnet  of the same name – is perpetuated using  SmokeLoader , which chiefly acts as a loader for next-stage malware, allowing it to quickly scale in size and expand its network. Kr

A peer-to-peer Golang botnet has resurfaced after more than a year to compromise servers belonging to entities in the healthcare, education, and government sectors within a span of a month, infecting a total of 1,500 hosts. Dubbed FritzFrog , "the decentralized botnet targets any device that exposes an SSH server — cloud instances, data center servers, routers, etc. — and is capable of running any malicious payload on infected nodes," Akamai researchers said in a report shared with The Hacker News. The new wave of attacks commenced in early December 2021, only to pick up pace and register a 10x growth in its infection rate in a month's time, while peaking at 500 incidents per day in January 2022. The cybersecurity firm said it detected infected machines in a European television channel network, a Russian manufacturer of healthcare equipment, and multiple universities in East Asia. FritzFrog was  first documented  by Guardicore in August 2020, elaborating the botnet&

Weaknesses in e-commerce portals are being exploited to deploy a Linux backdoor as well as a credit card skimmer that's capable of stealing payment information from compromised websites. "The attacker started with automated e-commerce attack probes, testing for dozens of weaknesses in common online store platforms," researchers from Sansec Threat Research  said  in an analysis. "After a day and a half, the attacker found a file upload vulnerability in one of the store's plugins." The name of the affected vendor was not revealed. The initial foothold was then leveraged to upload a malicious web shell and alter the server code to siphon customer data. Additionally, the attacker delivered a Golang-based malware called " linux_avp " that serves as a backdoor to execute commands remotely sent from a command-and-control server hosted in Beijing. Upon execution, the program is designed to remove itself from the disk and camouflage as a " ps -ef

A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang. Dubbed " Diicot brute ," the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own unique API keys to facilitate the intrusions, Bitdefender researchers said in a report published last week. While the goal of the campaign is to deploy Monero mining malware by remotely compromising the devices via brute-force attacks, the researchers connected the gang to at least two  DDoS  botnets, including a  Demonbot  variant called chernobyl and a Perl  IRC bot , with the XMRig mining payload hosted on a domain named mexalz[.]us since February 2021. The Romanian cybersecurity technology company said it began its investigation into the group's hostile online activities in May 2021, leading