Cyber security researchers have discovered a malicious GO module that presents themselves as a cruel-force tool for SSH, but actually involves the functionality for their manufacturer intelligent credentials.
“On the first successful login, the package target IP addresses, user names and passwords to a hard-coded telegram bot,” said Kiril Boychenko, the researcher Kiril Boychenko.
The misleading package, named “Gold-Random-IP-SSH-Brutiforce”, has been linked to a githib account called the Ildianway (G3 TT), which is currently no longer accessible. However, it continues to be available on pkg.go[.]God. It was published on 24 June 2022.
The software supply chain security company said that the GO module works by scanning the random IPV4 address for the exposed SSH services of SSH services on TCP Port 22, then an embedded user tries to emphasize the service using the name-charged list and extends the attacker to the attacker.
One notable aspect of malware is that it deliberately disables the host key verification by setting “ssh.insecureignorehostkey” as a hostcolback, allowing SSH client to accept the connection to any server regardless of their identification.
The vardalist is quite straightforward, including only two user names root and admin, and they are added against weak passwords such as root, test, password, admin, 12345678, 1234, quarrties, webdmins, webmasters, Teksuport, Lattamin and Passav@RD.
The malicious code runs into an infinite loop to generate the IPV4 addresses, attempting the concurrent SSH login from the vadlist with the package.
The details are transmitted through API to a danger-nominated Telegram Bot called “@SshXC_Bot” (SSH_BOT), which then accepts the attainment of credentials. The messages are sent through the bot to an account with “@io_ping” (Gett) handle.
Now an internet archive snapshot of the GITHUB account now suggests that Illdieanway’s software portfolio contains an IP port scanner, an Instagram profile information and media parser and even PHP-based command-end-control (C2) Bottnets contained.
His YouTube channel, which is accessible, hosted various short-form videos on “how to hack a telegram bot” and they claim to be “the most powerful SMS for the Russian Federation”, which can send spam SMS texts and messages to VK users using a telegram bot. It is evaluated that the danger is of actor Russian origin.
“Package offload scanning and passwords unknowingly guess operators, spreads risk to their IP, and a single threatened actor-controlled successes for the-controlled telegram bot,” Boychenko said.
“It disables the host key verification, drives high concurrent, and the first to prioritize the quick capture. First goes out after a valid login. Because the telegram bot uses API https, traffic looks like normal web requests and can slip over coarse egress controls.”
