StealthWorker Malware Conducts Distributed Brute Force Attacks

Delaware, USA – March 7, 2019 – Another campaign spreading brute-force malware was observed in the wild by FortiGuard Labs. The StealthWorker malware targets Windows and Linux machines, as well as exfiltrates sensitive information from e-tail websites and also exploits a variety of vulnerabilities of CMSs, phpMyAdmin, Magento. The current StealthWorker campaign doesn’t resort to services of any third-party downloader but takes advantages of poor or default settings of the targeted hosts. After reaching the victim machine the malware schedules tasks to gain persistence.

Having being copied to the /tmp folder in Windows or setting up a crontab entry in Linux, StealthWorker is ready to proceed with its brute-forcing activities managed by its command and control (C2) server. The malware’s functions are not limited by brute forcing numerous services and checking for updates, StealthWorker is capable of finding files in the open directories of the target host and concealing its traces by removing autorun and exiting malware. Still, the main danger of this campaign is that malware performs distributed brute force attacks, which easily bypass security solutions. Successfully guessing a password for any resource, StealthWorker sends it to attackers’ server, and they can both get valuable data and install Ransomware or Coinminer. To detect slow and distributed brute force attacks, you can use specialized content available in the Threat Detection Marketplace: https://my.socprime.com/en/integrations/brute-force-detection-hpe-arcsight