Golang Worm Turns Hacked Systems into Monero Miners

With Bitcoin on an all-time high, the idea of having any kind of cryptocurrency such as Monero becomes much more appealing. And with the Bitcoin frenzy, mining machines, graphics cards become more scarce and expensive. The best alternative for such issues is to hijack other machines to do the mining and that is what a newly discovered Worm written in Golang does. This Golang worm is a malware that targets Linux and Windows systems alike and turns them into Monero crypto-miners by installing XMRig.

Researchers from security firm Intezer detected the worm last December 2020. XMRig by itself is a crypto-currency Trojan malware that can be transmitted through means such as phishing. Using a worm such as the one written in Golang, it becomes more potent. The attack consists of three components. A dropper script, the Golang worm itself and XMRig Miner. The script looks for an open 52013 port and proceeds to infect the network.

The worm wiggles through Windows and Linux servers and drops the XMRig miner. Forget accidentally installing XMRig through phishing. Getting infected results in a slowdown of affected systems and networks affecting productivity, and indirect financial donations to the worm operator. Companies with public-facing systems that use MySQL, Jenkins and Tomcat are mostly affected.

As of now, the Golang Worm is undetectable via VirusTotal so additional preventive measures need to be implemented to prevent your network from becoming a mining node. Measures such as securing port 52013 on network devices, use of strong passwords on the involved systems, using two-factor authenticated passwords if possible, regular software and firmware updates and cloud workload protection such as Intezer Protect or similar. As per Intezer, the threat is not limited to Windows and Linux but to Mac and Android systems as well and is expected to push well into 2021.