The six methods are are exploits targeting Web applications — two targeting ThinkPHP, one each targeting Drupal and Atlassian's Confluence — enumeration of SSH credentials or enumeration of credentials for the open-source in-memory data structure store Redis. The malware then uses the computing power on the server for mining the monero cryptocurrency.
Once the malware has gained access, it attempts to spread by using SSH keys on the server it has infected.
The malware, which F5 did not name, takes advantage of vulnerabilities in ThinkPHP, Drupal or Atlassian's Confluence once it has gained entry to the server.
The malware uses several sets of hardcoded credentials to try and guess its way into the servers.
"Malicious actors are beginning to turn to Golang as a malware language since it is not typically picked up by antivirus software," the trio wrote.
"Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware."
Redis is generally not part of any Linux distribution and has to be installed from third-party repositories. It runs on OS X as well and is developed on both Linux and OS X. It is not officially supported on Windows but Microsoft develops and maintains a Win-64 port.
The main aim of the malware is to mine monero but it also has methods to ensure persistence and avoid detection.