Cybersecurity researchers have discovered a malicious GO module that presents its status as a brute force tool for SSH, but in reality it includes the ability to carefully remove credentials from its creators.
“In the first successful login, the package sends the target IP address, username and password to a hard-coded telegram bot controlled by the threat actor,” said Socket researcher Kirill Boychenko.
The deceptive package named “Golang-Random-IP-Ssh-Bruteforce” is linked to a Github account called Illdieanyway (G3TT) that is currently inaccessible. However, it is still available at Pkg.go[.]Developer. It was released on June 24th, 2022.
The software supply chain security company said the GO module works by scanning random IPv4 addresses of publicly available SSH services on TCP port 22, brute-force the service using a built-in username password list, and removing successful credentials to the attacker.
A notable aspect of malware is that by setting “ssh.insecureignorehostkey” as Hostkeycallback, it intentionally disables host key verification, which allows the SSH client to accept connections from any server, regardless of identity.
WordList is fairly simple, with only two username routes and an admin. It also pairs weak passwords such as root, test, password, administrator, 12345678, 1234, QWERTY, WebAdmin, Webmaster, TechSupport, LetMein, PassW@rd.
The malicious code runs in an infinite loop to generate an IPv4 address, and the package attempts simultaneous SSH logins from the WordList.
Details will be sent via the API to a threat actor controlled telegram bot named “@sshzxc_bot” (ssh_bot) to allow for the receipt of credentials. The message is sent to the account via the bot using the handle “@io_ping” (gett).
The currently deleted Internet archive snapshots of GitHub accounts show that G3TT’s software portfolio (also known as G3TT’s software portfolio) includes an IP port scanner, Instagram profile information and media parser, as well as a PHP-based command and control (C2) botnet called SELICA-C2.
Their YouTube channel remains accessible and hosts a variety of short form videos that they claim to be “how to hack a Telegram Bot” and “the most powerful SMS bomber in the Russian Federation.” The threat leader is rated as Russian origin.
“This package infers scans and password guesses to unconscious operators, spreads risks across the IPS, and leaks success to a single threat actor-controlled telegram bot,” says Boychenko.
“Disables host key verification, drives high concurrency after the first enabled login, and prioritizes quick capture. As TelegramBotAPI uses HTTPS, traffic looks like a normal web request and can pass through coarse output controls.”
Source link
