Threat Research

Unveiling the Stealthworker Campaign

By Rommel Joven | October 23, 2019

A FortiGuard Labs Threat Analysis

Earlier this year, FortiGuard Labs shared their findings about a malware that was linked to a compromised e-commerce website serving a malicious JavaScript skimmer. The malware forms a botnet called Stealthworker or GoBrut. It can infect both Windows and Linux machines and perform brute force attacks on targets sent by the botmaster.

Back then, we noticed a number of open directories in the C2 that revealed binaries for different architectures as well as list of targets queued for brute force attacks. What began as a simple brute forcer specifically targeting phpMyAdmin web app has updated its arsenal, turning it into a multi-service brute forcer. A tweet from another security researcher @gwillem confirms the threat that this botnet poses. 

Figure 1. Tweet from Gwillem

Given its impact, we decided to dig further in order to better understand the scale of this campaign and share our findings to the security community dealing with the same adversary.

This post shares our findings collected over the past several months (February 2019-September 2019) of monitoring this threat.

Overview

We have observed that the malware author has continued the development of its code. In fact, the new binaries now include the version info of the malware. Though there are a number of released versions, we will only focus on those versions where major functions and services were added. In summary, the earliest version was v1.5, and since then we have documented ten additional services added between then and its latest version, v3.11. 

Below are the main_init() functions of v3.11, with comments referring to the versions where particular functions were added.

Figure 2. main_init() function of v3.11

As shown above, new functions to support other services were gradually added to the malware on each release. We have already discussed some of the functions in a previous article. In summary, here is a breakdown of these functionalities.

We can categorize them into three main groups:

Table 1. Main functionalities

The table below lists the services and platforms it tries to compromise and their corresponding commands. (‘X’ means not supported.)

Table 2. List of brute force and check services

Table 3. List of other services

Table 4. Other functions

Command and Control

The C2 contains useful data, including the latest binaries, the jobs for each worker with the targeted hosts, and the credentials to be used for the brute force attack. A typical Stealthworker C2 contains the following:

  • /storage/ – open directory for latest samples
  • /project/active – C2 server assigns the bot as a specific worker
  • /gw?worker={worker} – C2 server sends the targets for that worker
Figure 3. Bot communication

Below is an example of the jobs received for worker=magentoBrt:

Figure 4. Worker as magentoBrt

Every request to this URL returns around 300 fresh jobs.

It is important to note that the targets and credentials harvested from the C2 weren’t used for a brute force attack and were only used for statistics. In fact, harvesting jobs from the C2s takes away jobs meant for the malicious bots. This result in targets being spared from what should have been a brute force attack.

Top Workers

During our monitoring we were able to intercept more than 98 million jobs, which can be attributed to the following workers: 

Figure 5. Top workers

Half of the jobs targeted the SSH service. This doesn’t come as a surprise, since SSH is typically installed on servers for administrators to remotely login. Scanning for targets that are using WordPress and Magento platforms also comprise big chunks of the jobs being executed.

Summary

  • 200 samples
  • 45 C2s
  • 98M+ jobs
  • 38M+ unique targeted hosts
  • 23 different versions
  • Earliest observed version is v1.50 and the latest is v3.11

The continuous development and appearance of new Stealthworker samples and C2s demonstrate how active the campaign is, and that more attention needs to be drawn to these sustained brute force attacks, not only for e-commerce websites but also to all possible vulnerable systems that use weak credentials.

If you want to know more on Stealthworker, we will be presenting more of our findings at the upcoming AVAR 2019 Conference held in Osaka Japan, on November 6-9. Our presentation is titled “Digital Skimmers: How crooks are spying on your online shopping”, where we will be sharing the results of our continuous effort at tracking Stealthworker, as well as interesting campaigns we found on MageCart.

Solution

Fortinet detects Stealthworker binaries as ELF/Agent.FM!tr, Linux/StealthWorker.GO!tr, W32/ StealthWorker.GO!tr variants, and blocks all mentioned C2s.

= FortiGuard Lion Team =-

IOCs

Stealthworker C2s:

https://github.com/fortiguard-lion/StealthworkerIOC/blob/master/Stealthworker_C2s.txt

Stealthworker SHA-256 hashes:

https://github.com/fortiguard-lion/StealthworkerIOC/blob/master/Stealthworker_SHA256.txt

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.