"This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto subrepository (and its GitHub mirror github.com/golang/crypto). The legitimate project identifies go.googlesource.com/crypto as canonical and treats GitHub as a mirror, a distinction the threat actor abuses to make github.com/xinfeisoft/crypto look routine in dependency graphs."
"Specifically, the backdoor has been placed within the 'ssh/terminal/terminal.go' file, so that every time a victim application invokes ReadPassword() - a function supposedly meant to read input like passwords from a terminal - it causes that information to capture interactive secrets."
"The main responsibility of the downloaded script is to function as a Linux stager, appending a threat actor's SSH key to the '/home/ubuntu/.ssh/authorized_keys' file, set iptables default policies to ACCEPT in an attempt to loosen firewall restrictions, and retrieve additional payloads from an external server while disguising them with the .mp5 extension."
Cybersecurity researchers discovered a malicious Go module at github.com/xinfeisoft/crypto that impersonates the legitimate golang.org/x/crypto codebase. The module injects malicious code into the SSH terminal password reading function to exfiltrate secrets to remote endpoints. Upon execution, it fetches and runs a shell script that adds attacker SSH keys to authorized_keys files, modifies firewall rules, and downloads additional payloads. Two payloads are delivered: a connectivity tester and loader communicating with external servers, and Rekoobe, a known Linux trojan active since 2015. This attack exploits namespace confusion by leveraging the distinction between the canonical Google source repository and its GitHub mirror.
#supply-chain-attack #malicious-go-module #linux-backdoor #namespace-confusion #credential-harvesting
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]