Cybersecurity experts have revealed a new threat involving a deceptive Go module designed to steal passwords and establish unauthorized access via SSH, deploying a Linux backdoor known as Rekoobe.
Deceptive Module and Its Operations
The malicious module, found on github[.]com/xinfeisoft/crypto, masquerades as the legitimate “golang.org/x/crypto” repository. It injects harmful code to capture sensitive information entered through terminal password prompts, which is then sent to a remote server. A shell script is executed in response, further facilitating the attack.
Researchers, including Kirill Boychenko from Socket, have identified this activity as a case of namespace confusion. The threat actor exploits the distinction between the official go.googlesource.com/crypto repository and its GitHub mirror to make their malicious repository appear legitimate in dependency graphs.
Backdoor Details and Impact
The Rekoobe backdoor is embedded within “ssh/terminal/terminal.go”. Whenever a victim application uses the ReadPassword() function intended to securely read inputs like passwords, it inadvertently captures and transmits sensitive data.
The downloaded script acts as a Linux stager, inserting an attacker’s SSH key into the “/home/ubuntu/.ssh/authorized_keys” file, modifying iptables to relax firewall settings, and fetching additional payloads disguised with the .mp5 extension. One payload checks internet connectivity and attempts communication with a specific IP over TCP port 443, potentially serving as a recon tool.
Rekoobe and Ongoing Threats
The second payload is identified as Rekoobe, a Linux trojan active since at least 2015. It allows attackers to execute commands from a controlled server, facilitating further payload downloads, file theft, and reverse shell execution. Recently, groups like APT31 have utilized Rekoobe for cyber espionage.
Although the malicious package is still visible on pkg.go.dev, the Go security team has initiated actions to mark it as harmful. This campaign is a classic example of low-effort, high-impact attacks, leveraging lookalike modules to exploit high-value functions such as ReadPassword.
Experts warn of similar supply chain attacks targeting other critical libraries, anticipating increased use of hosting surfaces to rotate infrastructure without code republishing.
