A sophisticated supply chain attack has emerged, targeting developers through a malicious Go module package that masquerades as a legitimate SSH brute-forcing tool while covertly exfiltrating credentials for cybercriminal operations.
Introduction
In the ever-evolving landscape of cybersecurity threats, a new and insidious attack vector has been identified. Cybercriminals have developed a malicious Go module package named golang-random-ip-ssh-bruteforce, which presents itself as a fast SSH brute-forcing tool. However, beneath its seemingly benign exterior lies a covert mechanism designed to steal successful login credentials and transmit them to a Telegram bot controlled by threat actors.
The Malicious Package: An Overview
The golang-random-ip-ssh-bruteforce package operates by continuously scanning random IPv4 addresses for exposed SSH services on TCP port 22. It attempts authentication using an embedded username-password wordlist and immediately transmits any successful credentials to its operators. This deceptive approach exploits the trust developers place in open-source packages, turning their security assessments into unwitting contributions to cybercriminal activities.
Discovery and Analysis
Analysts at Socket.dev identified the malicious behavior embedded within this seemingly legitimate security tool. Their investigation revealed that the package has been active since June 24, 2022. Upon the first successful SSH login, the package automatically sends the target IP address, username, and password to a hardcoded Telegram bot endpoint controlled by a Russian-speaking threat actor known as IllDieAnyway on GitHub.
Technical Implementation and Evasion Mechanisms
The malware’s technical implementation demonstrates sophisticated evasion tactics designed to maintain operational security while maximizing credential collection. The package includes a deliberately minimal wordlist containing only common default credentials such as root:toor, admin:password, and IoT-specific combinations like root:raspberry and root:dietpi. This approach reduces network noise and speeds up the scanning process while maintaining plausible deniability for its operators.
The core malicious functionality centers around a hardcoded Telegram API endpoint: `https://api.telegram.org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage`. When successful authentication occurs, the package executes an HTTP GET request to this endpoint, transmitting the compromised credentials in the format ip:username:password to chat ID 1159678884, associated with the Telegram user @io_ping.
The malware deliberately configures SSH connections with `HostKeyCallback: ssh.InsecureIgnoreHostKey()` to bypass server verification and enable rapid credential testing across diverse targets.
Implications for Developers and Security Professionals
This attack vector exploits the trust relationship between developers and open-source packages, representing a growing trend of malicious actors distributing offensive security tools with backdoor functionality. Users who download and execute the package inadvertently become unwitting participants in a larger credential harvesting operation, with their successful penetration attempts being redirected to criminal networks rather than serving their intended security assessment purposes.
Recommendations for Mitigation
To protect against such threats, developers and security professionals should adopt the following practices:
1. Vigilant Package Evaluation: Thoroughly assess the credibility and security of open-source packages before integration.
2. Code Review: Conduct comprehensive code reviews to identify hidden malicious functionalities.
3. Network Monitoring: Implement robust network monitoring to detect unauthorized data exfiltration attempts.
4. Credential Management: Use strong, unique passwords and consider implementing multi-factor authentication to enhance security.
5. Stay Informed: Keep abreast of emerging threats and vulnerabilities within the cybersecurity landscape.
Conclusion
The discovery of the golang-random-ip-ssh-bruteforce package underscores the critical importance of vigilance in the cybersecurity domain. As threat actors continue to devise more sophisticated methods to exploit trust and infiltrate systems, it is imperative for developers and security professionals to remain proactive, ensuring the integrity and security of their tools and practices.
