SECURITY ALERT: Active Golang-Written Botnet StealthWorker Infects Thousands of Websites via Distributed Brute-Force Attacks.

Heimdal™ Security’s SOC department together with other cybersecurity institutions have released an all-out advisory to its customer base, clients, users, and partners in regards to the activity of an emergent botnet that has infected thousands of websites. The botnet StealthWorker (GoBrut) has achieved an impressive number of hits in a brief span of time, by brute-forcing the victim’s Internet-facing NAS devices and web servers. As for the ‘zombified’ devices, Heimdal™ believes that they will be used in future botnet campaigns for the purpose of compromising even more hosts.

Botnet StealthWorker – M.O, Infectious Mechanism(s), and Distribution

GoBrut aka StealthWorker is not exactly a botnet novelty. In fact, the same botnet has been involved in the August 2021 attack against Synology’s NAS devices but, interestingly enough, it goes all the way back to February 2019 when the same malware was found to be behind several brute-force attacks launched against improperly secured CMSs, Magento being among them. It appears that its MO’s been consistent over time – using distributed brute-force attacks in order to infiltrate, infect, corrupt, and ‘zombify’ the target device.

Design-wise, Gobrut has been written in Golang, a programming language very popular among hackers and pen-testers for its flexibility, reasonable

Read More: