Security researchers at Cisco Talos have discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.
The malicious code was written in Go programming language, uncommon for malware development, and implements several interesting features, for example, it tries to avoid infecting devices on government and military networks.
“Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics.” reads the analysis published by Talos.
The attacker created unique malware binaries for each infected system, researchers also reported that the GoScanSSH command and control (C2) infrastructure was leveraging the Tor2Web proxy service making hard the tracking of the C&C infrastructure and resilient to takedowns.
GoScanSSH conducted brute-force attack against publicly accessible SSH servers that allowed password-based SSH authentication. The hackers are leveraging a word list containing more than 7,000 username/password combinations. When GoScanSSH discovered a valid credential set, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server and executed.
While scanning for vulnerable SSH servers, GoScanSSH randomly generates IP addresses, avoiding special-use addresses. the malware then compares each IP address to a list of CIDR blocks that the malicious code will not attempt to scan because they are network ranges primarily controlled by various government and military entities.
The malware specifically avoids ranges assigned to the U.S. Department of Defense, experts also noticed that one of the network ranges in the list is assigned to an organization in South Korea.
The researchers detected more than 70 unique malware samples associated with the GoScanSSH malware family, the experts observed samples that were compiled to support multiple system architectures including x86, x86_64, ARM and MIPS64.
The experts also observed multiple versions (e.g, versions 1.2.2, 1.2.4, 1.3.0, etc.) of the malware in the wild, a circumstance that suggests the threat actors behind the malicious code is continuing to improve the malware.
According to the researchers, threat actors are likely trying to compromise larger networks, experts believe attackers are well resourced and with significant skills.
They are being active since June 2017 and already deployed 70 different versions of the GoScanSSH malware using over 250 distinct C&C servers.
The analysis of passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed confirmed that the number of infected systems is low.
“In analyzing passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed, resolution attempts were seen dating back to June 19, 2017, indicating that this attack campaign has been ongoing for at least nine months. Additionally, the C2 domain with the largest number of resolution requests had been seen 8,579 times.” states the analysis published by Talos.
Further details on the GoScanSSH malware, including IoCs, are reported in the analysis published by Talos.
(Security Affairs – GoScanSSH malware, hacking)