Full Report
Cybersecurity researchers have disclosed details of a malicious Go module that's designed to harvest passwords, create persistent access via SSH, and deliver a Linux backdoor named Rekoobe. The Go module, github[.]com/xinfeisoft/crypto, impersonates the legitimate "golang.org/x/crypto" codebase, but injects malicious code that's responsible for exfiltrating secrets entered via terminal password
Analysis Summary
# Tool/Technique: Malicious Go Crypto Module Impersonating `golang.org/x/crypto`
## Overview
This is a software supply chain attack utilizing a malicious Go module (`github.com/xinfeisoft/crypto`) that impersonates the legitimate `golang.org/x/crypto` codebase. Its primary purpose is to harvest passwords entered via terminal prompts, exfiltrate this data, and subsequently download and deploy the Rekoobe Linux backdoor to establish persistent remote access.
## Technical Details
- Type: Malware/Supply Chain Attack Tool
- Platform: Linux (implied by Rekoobe backdoor and SSH key deployment)
- Capabilities: Password harvesting from terminal input, C2 communication, persistence establishment via SSH, and delivery of a secondary Linux backdoor payload.
- First Seen: Information not explicitly provided, but Rekoobe has been active since at least 2015.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1533 - Data from Local System
- T1533.003 - SSH Authorized Keys
## Functionality
### Core Capabilities
* **Namespace Confusion/Impersonation:** Masquerades as the canonical Go crypto subrepository (`go.googlesource.com/crypto`) by mirroring a deceptive GitHub repository (`github.com/xinfeisoft/crypto`).
* **Password Exfiltration:** Hooks into the `ReadPassword()` function within the compromised `ssh/terminal/terminal.go` file to capture secrets entered during terminal password prompts and exfiltrates them to a remote endpoint.
* **Staging and Execution:** Fetches a shell script from the remote endpoint and executes it locally.
* **Persistence:** The downloaded script appends attacker-controlled SSH keys to `/home/ubuntu/.ssh/authorized_keys`.
* **Firewall Evasion:** Sets `iptables` default policies to `ACCEPT` to loosen firewall restrictions.
* **Payload Delivery:** Retrieves additional payloads, one being a connectivity checker/loader and the second being the Rekoobe backdoor.
### Advanced Features
* **Rekoobe Backdoor Deployment:** Deploys the known Rekoobe Linux trojan, capable of downloading further payloads, stealing files, and executing reverse shells.
* **Payload Obfuscation:** New payloads are disguised with the `.mp5` file extension during download.
* **Infrastructure Rotation:** The use of GitHub Raw as a rotating pointer suggests an attempt to maintain operational security while minimizing code republishing efforts.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes not disclosed in the summary)
- File Names: `github.com/xinfeisoft/crypto` (Malicious module), Payloads disguised with `.mp5` extension.
- Registry Keys: N/A
- Network Indicators:
- C2/Loader Communication: `154.84.63[.]184` on TCP port 443 (Helper payload testing connectivity).
- Behavioral Indicators:
* Invocation of the malicious code when an application calls `ReadPassword()`.
* Modification of `/home/ubuntu/.ssh/authorized_keys`.
* Modification of `iptables` default policies to `ACCEPT`.
## Associated Threat Actors
* Associated with threat groups that utilize the Rekoobe backdoor, specifically noted as **APT31 (Chinese nation-state groups)** as recently as August 2023.
## Detection Methods
- Signature-based detection: Detection of the specific malicious Go module package reference (`github.com/xinfeisoft/crypto`).
- Behavioral detection: Monitoring for unusual execution upon calls to critical credential boundary functions like `ReadPassword()` in Go applications. Monitoring for changes to `iptables` default policies or the addition of public SSH keys to `authorized_keys` files.
- YARA rules: N/A (Not provided in the source).
## Mitigation Strategies
* **Dependency Verification:** Scrutinize dependencies for namespace confusion or impersonation, particularly for widely trusted libraries like `golang.org/x/crypto`. Validate canonical sources (e.g., `go.googlesource.com/crypto` vs. GitHub mirrors).
* **Privileged Access Hardening:** Strictly limit what process can modify SSH authorized keys.
* **Network Monitoring:** Monitor outbound connections, especially helper/loader payloads communicating over non-standard protocols or common ports (like this sample on TCP 443 over raw IP connection).
* **Firewall Review:** Validate and enforce strict network firewall policies (deny-by-default) rather than relying on default ACCEPT rules.
* **Software Integrity:** Defenders should anticipate similar supply chain attacks targeting other "credential edge" libraries (e.g., database connectors, CLI auth prompts).
## Related Tools/Techniques
* Rekoobe (Known Linux trojan/backdoor)
* Software Supply Chain Compromise Techniques (General pattern)
* Reverse Shell Execution
* The specific attack leverages indirection through hosting surfaces (GitHub) to rotate infrastructure.