Cybersecurity researchers have disclosed particulars of a malicious Go module that is designed to reap passwords, create persistent entry by way of SSH, and ship a Linux backdoor named Rekoobe.
The Go module, github[.]com/xinfeisoft/crypto, impersonates the official “golang.org/x/crypto” codebase, however injects malicious code that is chargeable for exfiltrating secrets and techniques entered by way of terminal password prompts to a distant endpoint, fetches a shell script in response, and executes it.
“This exercise suits namespace confusion and impersonation of the official golang.org/x/crypto subrepository (and its GitHub mirror github.com/golang/crypto),” Socket safety researcher Kirill Boychenko stated. “The official challenge identifies go.googlesource.com/crypto as canonical and treats GitHub as a mirror, a distinction the menace actor abuses to make github.com/xinfeisoft/crypto look routine in dependency graphs.”
Particularly, the backdoor has been positioned throughout the “ssh/terminal/terminal.go” file, so that each time a sufferer software invokes ReadPassword() – a operate supposedly meant to learn enter like passwords from a terminal – it causes these interactive secrets and techniques to be captured.
The primary accountability of the downloaded script is to operate as a Linux stager, appending a menace actor’s SSH key to the “/residence/ubuntu/.ssh/authorized_keys” file, set iptables default insurance policies to ACCEPT in an try and loosen firewall restrictions, and retrieve extra payloads from an exterior server whereas disguising them with the .mp5 extension.
Of the 2 payloads, one is a helper that assessments web connectivity and makes an attempt to speak with an IP handle (“154.84.63[.]184”) over TCP port 443. This system seemingly features as a recon or loader, Socket famous.
The second downloaded payload has been assessed to be Rekoobe, a recognized Linux trojan that has been detected within the wild since at the least 2015. The backdoor is succesful of receiving instructions from an attacker-controlled server to obtain extra payloads, steal recordsdata, and execute a reverse shell. As not too long ago as August 2023, Rekoobe has been put to make use of by Chinese language nation-state teams like APT31.
Whereas the bundle nonetheless stays listed on pkg.go.dev, the Go safety workforce has taken steps to dam the library as malicious.
“This marketing campaign will seemingly repeat as a result of the sample is low-effort and high-impact: a lookalike module that hooks a high-value boundary (ReadPassword), makes use of GitHub Uncooked as a rotating pointer, then pivots into curl | sh staging and Linux payload supply,” Boychenko stated.
“Defenders ought to anticipate related provide chain assaults concentrating on different ‘credential edge’ libraries (SSH helpers, CLI auth prompts, database connectors) and extra indirection by means of internet hosting surfaces to rotate infrastructure with out republishing code.”
