A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns.
Dubbed GoScanSSH because it compromises SSH servers exposed to the Internet, the malware’s command and control (C&C) infrastructure leverages the Tor2Web proxy service to prevent tracking and takedowns.
The malware operators, Talos believes, had a list of more than 7,000 username/password combinations they would use to authenticate to the servers, after which they would create a unique GoScanSSH binary to upload and execute on the server.
The actors behind this threat would target weak or default credentials used across a variety of Linux-based devices. Usernames used in the attack include admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.
The credential combinations used in these attacks targeted Open Embedded Linux Entertainment Center (OpenELEC); Raspberry Pi; Open Source Media Center (OSMC); jailbroken iPhones; Ubiquiti device, PolyCom SIP phone, Huawei device, and Asterisk default credentials; and various keyboard patterns and well-known commonly used passwords.
Talos discovered over 70 unique GoScanSSH samples compiled to target multiple system architectures (x86, x86_64, ARM, and MIPS64).
Following infection, the malware attempts to determine how powerful the infected system is by determining how many hash computations it can perform within a fixed time interval. The malware sends the information to the C&C, along with basic information about the machine and a unique identifier.
The malware was designed to access Tor-hosted C&C domains using the Tor2Web proxy service, without the need of installing the Tor client on the compromised system. The communication between the bot and the server is authenticated to ensure it cannot be hijacked.
GoScanSSH can scan and identify vulnerable SSH servers exposed to the Internet. For that, it randomly generates IP addresses, but avoids special-use addresses, such as those assigned to the U.S. Department of Defense or to an organization in South Korea.
The malware attempts to establish a TCP connection to the selected IP address and, if that succeeds, it checks if the IP address resolves to a domain name. If that is true, it checks if the domain is related to a government or military entity and terminates the connection if that happens.
Before starting the SSH scanning activity, the malware waits for a response from the C&C server and activates a sleep function if that doesn’t happen.
Due to an increase in the number of attempts to resolve one of the C&C domains, Talos believes the number of compromised hosts is increasing. They also discovered some resolution attempts dating back to June 19, 2017, suggesting that the campaign has been ongoing for at least nine months.
The C&C with the largest number of requests had been seen 8,579 times. The security researchers discovered a total of 250 domains associated with the malware’s activity.
“These attacks demonstrate how servers exposed to the internet are at constant risk of attack by cybercriminals. Organizations should employ best practices to ensure that servers they may have exposed remain protected from these and other attacks that are constantly being launched by attackers around the world. Organizations should ensure that systems are hardened, that default credentials are changed prior to deploying new systems to production environments, and that these systems are continuously monitored for attempts to compromise them,” Talos concludes.