Cybersecurity researchers have found a malicious Go module that presents itself as a brute-force instrument for SSH however really comprises performance to discreetly exfiltrate credentials to its creator.
“On the primary profitable login, the package deal sends the goal IP deal with, username, and password to a hard-coded Telegram bot managed by the menace actor,” Socket researcher Kirill Boychenko stated.
The misleading package deal, named “golang-random-ip-ssh-bruteforce,” has been linked to a GitHub account known as IllDieAnyway (G3TT), which is presently now not accessible. Nonetheless, it continues to be accessible on pkg.go[.]dev. It was revealed on June 24, 2022.
The software program provide chain safety firm stated the Go module works by scanning random IPv4 addresses for uncovered SSH providers on TCP port 22, then trying to brute-force the service utilizing an embedded username-password listing and exfiltrating the profitable credentials to the attacker.
A notable side of the malware is that it intentionally disables host key verification by setting “ssh.InsecureIgnoreHostKey” as a HostKeyCallback, thereby permitting the SSH shopper to just accept connections from any server no matter their identification.
The wordlist is pretty simple, together with solely two usernames root and admin, and pairing them towards weak passwords like root, take a look at, password, admin, 12345678, 1234, qwerty, webadmin, webmaster, techsupport, letmein, and Passw@rd.
The malicious code runs in an infinite loop to generate the IPv4 addresses, with the package deal trying concurrent SSH logins from the wordlist.
The small print are transmitted to a menace actor-controlled Telegram bot named “@sshZXC_bot” (ssh_bot) by way of the API, which then acknowledges the receipt of the credentials. The messages are despatched by the bot to an account with the deal with “@io_ping” (Gett).
An Web Archive snapshot of the now-removed GitHub account reveals that IllDieAnyway, aka G3TT’s software program portfolio, included an IP port scanner, an Instagram profile data and media parser, and even a PHP-based command-and-control (C2) botnet known as Selica-C2.
Their YouTube channel, which stays accessible, hosts varied short-form movies on “The best way to hack a Telegram bot” and what they declare to be the “strongest SMS bomber for the Russian Federation,” which may ship spam SMS texts and messages to VK customers utilizing a Telegram bot. It is assessed that the menace actor is of Russian origin.
“The package deal offloads scanning and password guessing to unwitting operators, spreads danger throughout their IPs, and funnels the successes to a single menace actor-controlled Telegram bot,” Boychenko stated.
“It disables host key verification, drives excessive concurrency, and exits after the primary legitimate login to prioritize fast seize. As a result of the Telegram Bot API makes use of HTTPS, the site visitors appears like regular net requests and may slip previous coarse egress controls.”
