Malware, Supply chain, DevOps

Malicious Go module steals passwords, deploys Rekoobe backdoor

A malicious Go module, disguised as a legitimate crypto library, has been discovered by Socket researchers that harvests passwords and deploys the Rekoobe Linux backdoor. The module, found at github.com/xinfeisoft/crypto, exploits namespace confusion to appear routine in dependency graphs. This discovery highlights a sophisticated supply chain attack targeting developers, based on information published by The Hacker News.

The compromised Go module injects malicious code into the "ssh/terminal/terminal.go" file, specifically within the "ReadPassword()" function. This allows it to capture sensitive credentials entered by users at terminal password prompts and send them to a remote endpoint. Upon successful exfiltration, the module fetches and executes a shell script. This script acts as a Linux stager, adding a threat actor's SSH key to the "authorized_keys" file, loosening firewall restrictions by setting iptables policies to ACCEPT, and downloading further payloads.

One of these payloads is a reconnaissance or loader program, while the other is the Rekoobe backdoor, a known Linux trojan active since at least 2015 and previously attributed to Chinese nation-state groups like APT31. The Go security team has since blocked the malicious package.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds