Malicious Go Module Masquerades as Crypto Library to Steal Passwords and Deploy Rekoobe Backdoor
Cybersecurity researchers have uncovered a deceptive Go module that poses as a legitimate cryptographic library while secretly harvesting passwords and installing a persistent backdoor on Linux systems. This malicious package, identified as github[.]com/xinfeisoft/crypto, impersonates the authentic golang.org/x/crypto repository, a trusted source for cryptographic functions in Go programming.
The threat actor behind this scheme exploits namespace confusion by creating a repository name strikingly similar to the legitimate one. This tactic aims to deceive developers into integrating the malicious module into their projects, inadvertently compromising their systems. The legitimate Go cryptographic library is hosted at go.googlesource.com/crypto, with a mirrored version on GitHub at github.com/golang/crypto. By mimicking this structure, the attacker increases the likelihood of their malicious module being mistaken for the genuine one.
The malicious code is embedded within the ssh/terminal/terminal.go file of the counterfeit module. Specifically, it hooks into the ReadPassword() function, which is typically used to securely read user input without displaying it on the screen. Whenever this function is invoked, the malicious code captures the entered passwords and transmits them to a remote server controlled by the attacker.
Upon successful exfiltration of credentials, the module proceeds to download and execute a shell script from an external source. This script performs several actions to establish persistent access and further compromise the system:
1. SSH Key Injection: The script appends the attacker’s SSH public key to the /home/ubuntu/.ssh/authorized_keys file. This addition grants the attacker remote access to the system via SSH without requiring further authentication.
2. Firewall Modification: It modifies the system’s firewall settings by setting the default policies of iptables to ACCEPT. This change effectively disables firewall protections, leaving the system vulnerable to additional attacks.
3. Payload Retrieval: The script downloads additional payloads from a remote server, disguising them with a .mp5 extension to evade detection.
Among the downloaded payloads is a program that tests internet connectivity and attempts to communicate with a specific IP address (154.84.63[.]184) over TCP port 443. This program likely serves as a reconnaissance tool or loader for subsequent malicious activities.
The most concerning payload is the Rekoobe backdoor, a known Linux trojan that has been active since at least 2015. Rekoobe is capable of receiving commands from an attacker-controlled server to download more payloads, steal files, and execute a reverse shell, providing the attacker with extensive control over the compromised system. Notably, Rekoobe has been utilized by Chinese nation-state groups, such as APT31, as recently as August 2023.
The Go security team has taken steps to block the malicious github[.]com/xinfeisoft/crypto module. However, the package remains listed on pkg.go.dev, indicating that developers must exercise caution and verify the authenticity of modules before integration.
This incident underscores the growing threat of supply chain attacks, where malicious code is introduced into software dependencies to compromise systems downstream. Developers are advised to:
– Verify Module Authenticity: Always check the publisher’s history and repository links before integrating third-party modules.
– Regularly Audit Dependencies: Conduct periodic reviews of all dependencies to identify and remove any that are unnecessary or potentially harmful.
– Implement Strict Access Controls: Ensure that private keys and sensitive information are protected with stringent access controls to prevent unauthorized access.
– Monitor Outbound Connections: Be vigilant for unusual outbound connections, especially those involving sensitive data, as they may indicate exfiltration attempts.
By adopting these practices, developers can mitigate the risk of falling victim to similar supply chain attacks in the future.
