Uncovering a Malicious Go Module Designed for SSH Brute-Force Attacks
Cybersecurity experts have recently identified a malicious Go module that masquerades as a tool for brute-forcing SSH connections. Rather than fulfilling its stated purpose, this module stealthily exfiltrates login credentials to its creator, highlighting ongoing concerns about supply chain security in the digital landscape.
How the Deceptive Module Works
The malicious package, identified as golang-random-ip-ssh-bruteforce, was associated with a now-inaccessible GitHub account named IllDieAnyway (G3TT). Although the account has been taken down, the module remains accessible on pkg.go[.]dev. First published on June 24, 2022, this software has raised alarms within the cybersecurity community.
Upon execution, the module scans random IPv4 addresses for exposed SSH services, specifically targeting TCP port 22. It then attempts to brute-force these services using a pre-embedded list of usernames and passwords, discreetly sending any successful login credentials to a Telegram bot controlled by the threat actor.
Key Features and Risks
One significant aspect of this Go module is its disregard for host key verification. By configuring ssh.InsecureIgnoreHostKey as a HostKeyCallback, the tool accepts connections from any server, circumventing standard security practices. This opens doors to significant vulnerabilities for unsuspecting systems.
The embedded wordlist is notably simple, featuring common usernames such as root and admin and pairing them with weak passwords like password, test, admin, and 12345678. This reliance on easily guessable credentials increases the likelihood of successful breaches, putting numerous systems at risk.
Continuous Operation
The malicious code operates in an infinite loop, generating IPv4 addresses, while concurrently attempting SSH logins using its predefined wordlist. Each time credentials are successfully captured, they are sent to a Telegram bot identified as @sshZXC_bot. This method not only consolidates successful logins to a single point but also obscures the attack patterns, making detection more difficult.
The Threat Actor’s Profile
A look at historical snapshots of the now-removed GitHub account reveals additional projects linked to the threat actor. These include an IP port scanner and a PHP-based command-and-control (C2) botnet named Selica-C2. Furthermore, the creator’s YouTube channel contains various tutorials on malicious activities, such as hacking Telegram bots and deploying SMS spammers—many of which emphasize targeting specific regions like the Russian Federation.
Experts speculate that the threat actor may have origins in Russia, given the nature of the content being promoted. Kirill Boychenko, a researcher at Socket, pointed out that the module effectively offloads the computational burden of scanning and password guessing onto unsuspecting operators. This strategy not only distributes the threat across numerous IP addresses but also enhances the likelihood of successful breaches.
Evasion Techniques
An additional layer of sophistication in this attack is the use of the Telegram Bot API, which operates over HTTPS. This encryption can enable the malicious traffic to appear as legitimate web requests, thereby bypassing more basic egress control measures that organizations may have in place.
Boychenko emphasized how the design of this Go module prioritizes efficiency and speed. It limits the exposure risk to a single threat actor-controlled Telegram bot, allows for high concurrency during attacks, and exits after capturing the first valid login, all while evading detection mechanisms.
Conclusion
The discovery of the golang-random-ip-ssh-bruteforce module serves as a pressing reminder of the vulnerabilities inherent in software development processes. As cybersecurity threats continue to evolve, staying informed about such malicious tools becomes essential for protecting infrastructures and sensitive data.
