Eleven malicious Go packages were found using the same obfuscation technique to hide commands that retrieve remote payloads, Socket reported Wednesday.Most of the packages communicate with command-and-control (C2) endpoints sharing the same path (/storage/de373d0df/a31546bf), suggesting they are part of the same malicious campaign.Eight of the packages also appear to be typosquatted versions of legitimate packages, aiming to cause confusion for developers searching for packages via the pkg.go.dev discovery site.The packages all share a string-array-based obfuscation technique that calls specific indices in an array to reconstruct the malicious command. This command creates a shell that downloads a script from an external URL, and this script then delivers an additional malicious remote payload to the target machine.The second-stage payloads perform tasks such as collecting system information, reading files on the target machine, collecting browser data — including credentials — and making external network requests.The attacks target both Linux and Windows machines, detecting the system OS and acting differently depending on the environment. On Linux and other Unix-like operating systems, it fetches a bash script that runs directly in memory, and on Windows machines, it leverages certutil.exe to download portable executables.Several of the C2 domains observed among the malicious packages have been seen in previous campaigns: for example, Socket previously identified the C2 domain alturastreet[.]icu in a different case of malicious Go packages discovered in March. Most of the domains were noted to use the top level domains .icu, .tech or .fun.While several of the domains have been previously flagged as malicious by researchers and on VirusTotal, others, such as monsoletter[.]icu, have not been previously observed. Additionally, several of the malicious packages and URLs were still active as of Thursday afternoon.Socket researchers noted that the use of typosquatted package names and descriptions can be especially confusing in the decentralized Go ecosystem, where several packages may share the same name and it can be more difficult to distinguish legitimate packages from malicious spoofs.Developers are recommended to utilize protective measures such as real-time package scanning, dependency audits and a robust package management system to prevent infection from suspicious packages in the Go supply chain.
DevOps, Supply chain, Vulnerability Management, Application security
11 Go packages hide malicious commands targeting Linux and Windows
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds