SSH Credentials Stolen by Deceptive Go Module

Cybersecurity researchers have uncovered a malicious Go module, disguised as an SSH brute-force tool, that secretly steals user credentials and transmits them to a Telegram bot. The module, named "golang-random-ip-ssh-bruteforce," was published on June 24, 2022, and remains accessible on pkg.go.dev despite the associated GitHub account being taken offline.

Key Takeaways

• A malicious Go module impersonates an SSH brute-force tool.

• It exfiltrates stolen credentials to a Telegram bot controlled by the attacker.

• The module disables SSH host key verification for easier access.

• The attacker is believed to be of Russian origin.

How the Attack Works

The deceptive package scans random IPv4 addresses for exposed SSH services on TCP port 22. It then attempts to brute-force logins using a predefined list of common usernames and weak passwords. Upon a successful login, the module immediately sends the target's IP address, username, and password to a Telegram bot, identified as "@sshZXC_bot," which is controlled by the threat actor.

Technical Details and Tactics

A notable feature of this malware is its disabling of SSH host key verification by setting as a . This allows the SSH client to accept connections from any server, regardless of its identity, making the attack more stealthy. The password list used is basic, including common passwords like "root," "password," "12345678," and "qwerty" paired with usernames "root" and "admin."

The module operates in an infinite loop, generating IPv4 addresses and attempting concurrent SSH logins. To evade detection, it exits immediately after the first successful credential capture. The data exfiltration occurs over HTTPS via the Telegram Bot API, making the traffic appear as normal web requests and potentially bypassing network security controls.

Attacker Profile and Past Activities

Records indicate the developer behind this module, associated with the GitHub account "IllDieAnyway," has a history of releasing other tools. These include an IP port scanner, an Instagram profile and media parser, and a PHP-based command-and-control botnet named Selica-C2. Their online presence also features content related to hacking Telegram bots and creating SMS bombers targeting users in the Russian Federation, suggesting the attacker is likely of Russian origin.

Supply Chain Risks

This incident highlights the significant risks associated with software supply chain security. Developers who unknowingly incorporate such compromised modules into their projects can inadvertently expose sensitive credentials. The use of HTTPS for data exfiltration further complicates detection, posing a substantial threat to organizations relying on third-party code.

Sources

• Malicious Go Module Poses as SSH Brute-Force Tool, Steals Credentials via Telegram Bot, The Hacker News.

• Go Program Cheats Users, Steals Login Details and Shares with Hackers, The420.in.

• Malicious Go Module Poses as SSH Brute-Force Tool, Steals Credentials via Telegram Bot, LinkedIn.