A sophisticated supply chain attack has emerged targeting developers through a malicious Go module package that masquerades as a legitimate SSH brute forcing tool while covertly stealing credentials for cybercriminal operations.
The package, named “golang-random-ip-ssh-bruteforce,” presents itself as a fast SSH brute forcer but contains hidden functionality that exfiltrates successful login credentials to a Telegram bot controlled by threat actors.
The malicious package operates by continuously scanning random IPv4 addresses for exposed SSH services on TCP port 22, attempting authentication using an embedded username-password wordlist, and immediately transmitting any successful credentials to its operators.
What makes this attack particularly insidious is that victims believe they are conducting legitimate penetration testing or security research, while unknowingly feeding their discoveries directly to cybercriminals.
Socket.dev analysts identified the malicious behavior embedded within the seemingly legitimate security tool, revealing that the package has been active since June 24, 2022.
The researchers discovered that upon the first successful SSH login, the package automatically sends the target IP address, username, and password to a hardcoded Telegram bot endpoint controlled by a Russian-speaking threat actor known as “IllDieAnyway” on GitHub.
.webp "Malicious Go Module Package as Fast SSH Brute Forcer Exfiltrates Passwords via Telegram 3")
The attack vector exploits the trust relationship between developers and open-source packages, representing a growing trend of malicious actors distributing offensive security tools with backdoor functionality.
Users who download and execute the package inadvertently become unwitting participants in a larger credential harvesting operation, with their successful penetration attempts being redirected to criminal networks rather than serving their intended security assessment purposes.
Technical Implementation and Evasion Mechanisms
The malware’s technical implementation demonstrates sophisticated evasion tactics designed to maintain operational security while maximizing credential collection.
The package includes a deliberately minimal wordlist containing only common default credentials such as “root:toor,” “admin:password,” and IoT-specific combinations like “root:raspberry” and “root:dietpi,” which reduces network noise and speeds up the scanning process while maintaining plausible deniability for its operators.
The core malicious functionality centers around a hardcoded Telegram API endpoint: https://api.telegram.org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage.
When successful authentication occurs, the package executes an HTTP GET request to this endpoint, transmitting the compromised credentials in the format “ip:username:password” to chat ID 1159678884, associated with the Telegram user @io_ping.
The malware deliberately configures SSH connections with HostKeyCallback: ssh.InsecureIgnoreHostKey() to bypass server verification and enable rapid credential testing across diverse targets.
.webp "Malicious Go Module Package as Fast SSH Brute Forcer Exfiltrates Passwords via Telegram 4")
Here it’s the Socket AI Scanner’s detection of the embedded wordlist file (wl.txt) within the malicious package, highlighting the targeted credential combinations designed to compromise IoT devices, single-board computers, and hastily configured Linux systems.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
