A complicated provide chain assault has emerged focusing on builders by means of a malicious Go module package deal that masquerades as a authentic SSH brute forcing software whereas covertly stealing credentials for cybercriminal operations.
The package deal, named “golang-random-ip-ssh-bruteforce,” presents itself as a quick SSH brute forcer however incorporates hidden performance that exfiltrates profitable login credentials to a Telegram bot managed by menace actors.
The malicious package deal operates by repeatedly scanning random IPv4 addresses for uncovered SSH companies on TCP port 22, trying authentication utilizing an embedded username-password wordlist, and instantly transmitting any profitable credentials to its operators.
What makes this assault significantly insidious is that victims consider they’re conducting authentic penetration testing or safety analysis, whereas unknowingly feeding their discoveries on to cybercriminals.
Socket.dev analysts recognized the malicious habits embedded inside the seemingly authentic safety software, revealing that the package deal has been energetic since June 24, 2022.
The researchers found that upon the primary profitable SSH login, the package deal robotically sends the goal IP deal with, username, and password to a hardcoded Telegram bot endpoint managed by a Russian-speaking menace actor often called “IllDieAnyway” on GitHub.
Telegram Bot and person information (Supply – Socket.dev)
The assault vector exploits the belief relationship between builders and open-source packages, representing a rising development of malicious actors distributing offensive safety instruments with backdoor performance.
Customers who obtain and execute the package deal inadvertently develop into unwitting members in a bigger credential harvesting operation, with their profitable penetration makes an attempt being redirected to prison networks somewhat than serving their meant safety evaluation functions.
Technical Implementation and Evasion Mechanisms
The malware’s technical implementation demonstrates subtle evasion techniques designed to keep up operational safety whereas maximizing credential assortment.
The package deal features a intentionally minimal wordlist containing solely widespread default credentials comparable to “root:toor,” “admin:password,” and IoT-specific combos like “root:raspberry” and “root:dietpi,” which reduces community noise and quickens the scanning course of whereas sustaining believable deniability for its operators.
The core malicious performance facilities round a hardcoded Telegram API endpoint:
When profitable authentication happens, the package deal executes an HTTP GET request to this endpoint, transmitting the compromised credentials within the format “ip:username:password” to talk ID 1159678884, related to the Telegram person @io_ping.
The malware intentionally configures SSH connections with HostKeyCallback: ssh.InsecureIgnoreHostKey() to bypass server verification and allow speedy credential testing throughout numerous targets.
Socket’s AI scanner detected a malicious package deal golang-random-ip-ssh-bruteforce (Supply – Socket.dev)
Right here it’s the Socket AI Scanner’s detection of the embedded wordlist file (wl.txt) inside the malicious package deal, highlighting the focused credential combos designed to compromise IoT gadgets, single-board computer systems, and rapidly configured Linux programs.
Increase your SOC and assist your group defend your online business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
