Cybersecurity researchers have discovered a malicious Go module that presents itself as a brute-force tool for SSH but actually contains functionality to discreetly exfiltrate credentials to its creator.
“On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor,” Socket researcher Kirill Boychenko said.
The deceptive package, named “golang-random-ip-ssh-bruteforce,” has been linked to a GitHub account called IllDieAnyway (G3TT), which is currently no longer accessible. However, it continues to be available on pkg.go[.]dev. It was published on June 24, 2022.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The software supply chain security company said the Go module works by scanning random IPv4 addresses for exposed SSH services on TCP port 22, then attempting to brute-force the service using an embedded username-password list and exfiltrating the successful credentials to the attacker.
A notable aspect of the malware is that it deliberately disables host key verification by setting “ssh.InsecureIgnoreHostKey” as a HostKeyCallback, thereby allowing the SSH client to accept connections from any server regardless of their identity.
The wordlist is fairly straightforward, including only two usernames root and admin, and pairing them against weak passwords like root, test, password, admin, 12345678, 1234, qwerty, webadmin, webmaster, techsupport, letmein, and Passw@rd.
The malicious code runs in an infinite loop to generate the IPv4 addresses, with the package attempting concurrent SSH logins from the wordlist.
The details are transmitted to a threat actor-controlled Telegram bot named “@sshZXC_bot” (ssh_bot) via the API, which then acknowledges the receipt of the credentials. The messages are sent through the bot to an account with the handle “@io_ping” (Gett).
An Internet Archive snapshot of the now-removed GitHub account shows that IllDieAnyway, aka G3TT’s software portfolio, included an IP port scanner, an Instagram profile info and media parser, and even a PHP-based command-and-control (C2) botnet called Selica-C2.
Their YouTube channel, which remains accessible, hosts various short-form videos on “How to hack a Telegram bot” and what they claim to be the “most powerful SMS bomber for the Russian Federation,” which can send spam SMS texts and messages to VK users using a Telegram bot. It’s assessed that the threat actor is of Russian origin.
“The package offloads scanning and password guessing to unwitting operators, spreads risk across their IPs, and funnels the successes to a single threat actor-controlled Telegram bot,” Boychenko said.
“It disables host key verification, drives high concurrency, and exits after the first valid login to prioritize quick capture. Because the Telegram Bot API uses HTTPS, the traffic looks like normal web requests and can slip past coarse egress controls.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets