By rssfeeds-admin 
This module, hosted on GitHub as github.com/xinfeisoft/crypto, mimics the well-known golang.org/x/crypto codebase but has been backdoored to capture sensitive credentials and deploy a Rekoobe backdoor.
The threat actor behind this attack is leveraging supply-chain compromise techniques to infect users, steal passwords, and execute arbitrary commands on compromised systems.
The malicious Go module cleverly impersonates golang.org/x/crypto, a trusted, widely used cryptography library in the Go ecosystem.
It modifies the ReadPassword method in the legitimate ssh/terminal/terminal.go file to capture passwords as they are entered silently.
When an application using this backdoored module prompts users for a password, the modified ReadPassword function intercepts the entered credentials, stores them locally, and then exfiltrates the data to a remote server controlled by the threat actor.
The backdoor also fetches a script from a GitHub-hosted resource and executes it on the compromised system.
This script acts as a Linux stager that modifies system configurations, including adding an SSH key for persistence, changing iptables default policies to accept all incoming and outgoing traffic, and downloading additional payloads disguised as media files.
These payloads, confirmed to be Rekoobe Linux backdoors, provide the attacker with remote control over the system, enabling further exploitation.
Rekoobe Backdoor and Attack Chain
The downloaded payloads, disguised with the .mp5 extension to resemble media files, include sss.mp5 and 555.mp5.
After analyzing these payloads, we confirmed that sss.mp5 functions as a recon tool, establishing connectivity and blending in with expected network traffic.
The second payload, 555.mp5, is identified as a Rekoobe backdoor linked to espionage operations by APT31 (Zirconium). This backdoor communicates with a custom command-and-control (C2) server, bypassing conventional security measures by mimicking standard HTTPS traffic over TCP port 443.
The attack chain starts when the Go module captures a password through the backdoored ReadPassword function. It then retrieves a script from a GitHub-hosted file, which initiates the next stages, including downloading and executing the backdoor payloads.
The backdoor further solidifies its persistence by adding an SSH key to /home/ubuntu/.ssh/authorized_keys, ensuring continued access even if the compromised password is changed.
The malicious payload also weakens the system’s security posture by modifying iptables, allowing unrestricted traffic to and from the compromised machine.
Security Implications and Mitigation
- Audit and validate Go modules before inclusion, especially those that interact with sensitive functionality such as passwords or SSH keys.
- Monitor dependency changes in CI pipelines and block suspicious modifications using tools such as Socket CLI or a Firewall.
- Employ security measures such as Multi-Factor Authentication (MFA) for all critical access points, and implement network-level protections to block unauthorized inbound traffic.
By staying vigilant and proactively securing dependencies, organizations can better protect themselves from malicious actors exploiting supply chain weaknesses.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Go Crypto Malware Steals Credentials and Deploys Rekoobe Backdoor via Supply Chain Breach appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.