Servers are being targeted with a malware attack that uses its infected hosts to brute-force other machines.
Known to Akamai researchers as Stealthworker, the infection preys on weak passwords then uses a massive arsenal of malware to overtake Windows and Linux servers running popular CMS, publishing, and hosting tools.
Akamai senior security researcher Larry Cashdollar (yes, that is his last name, and yes, he is tired of that joke) discovered the attack while operating an intentionally exposed WordPress/MySQL container that for some reason was dealing in massive amounts of traffic.
“I log into the system and I see a ton of connections between my system and dozens of WP sites around the internet,” Cashdollar told The Register.
“I notice the traffic is WordPress login attempts, my system is attempting to log into their WordPress login page with a bunch of credentials.”
While combing through the log files of the obviously compromised virtual box, he stumbled upon a suspicious WordPress theme that contained a PHP file modified to install the malware.
Eventually, Cashdollar told El Reg, he was able to capture the malware in action and observe its entire life cycle, from introduction to complete server takeover.
Here’s how it works. Stealthworker begins its attack with a distributed brute-force attack. Infected machines each hit the target with a number of login attempts using common passwords. By breaking up the attempts among multiple machines, the attacker can avoid limits on the number of login attempts.
Oh cool, tech service prices are plummeting. And by tech services, we mean botnet rentals and stolen credit cards
Once the admin password is guessed (in this case for WordPress, though Stealthworker also targets Drupal, Joomla, Magento, MySQL, and a host of others), the malware then runs through the steps of installing and deleting various components. For WordPress, a modified version of the Alternate-Lite theme leads to downloaders that target the back end and look to overtake the entire server via applications such as cPanel and WMH.
The end result is a fully pwned Windows or Linux server at the command of the botnet owner. Akamai researchers say that when their infected test systems were wiped clean of the malware itself, the botnet would reinfect those machines within minutes. It was only when passwords were changed that the infection could be eradicated once and for all.
Eventually the server is instructed to dial its command-and-control host, where it is given its instructions to join with other servers in attempting to brute-force the passwords of other machines. In the process we are told, all passwords collected from the pwned machine get added into the list of logins that the botnet attempts on other machines.
Other than attempting to assimilate other servers, the intent of the Stealthworker malware is not really clear. There’s also not much in the way of how many people are using the attack, it could be one large operation, or several groups with the same tools.
Akamai researcher Steve Ragan notes that while there is some indication that scraping tools such as MageCart could be used on the servers, the full control the malware affords to the attacker opens the door to just about any sort of malicious venture.
“What they get is this broad network of vulnerable servers and websites they can use for anything,” Ragan explained.
“The endgame is pretty much whatever the attacker feels like doing.”
While the Stealthworker attack is a nasty one and difficult to fully remove, the solution is rather simple. Akamai recommends that admins make sure all of their passwords are complex and difficult to guess. As the attack preys on weak credentials, that one simple step should keep everything safe. ®