Cisco Talos security experts found a brand new piece of malware called GoScanSSH. According to the experts, the new threat was used to compromise SSH servers exposed online.
The GoScanSSH malware was written in Go programming language, which is rather uncommon for malware development, and it has very interesting features. Among these is the fact that the malware avoids infecting devices on government and military networks.
“Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics.” the analysis published by Talos states.
According to the researchers, the malware developer has created unique malware binaries for each infected system and that the GoScanSSH command and control (C2) infrastructure was leveraging the Tor2Web proxy service making hard the tracking of the C&C infrastructure and resilient to takedowns.
The GoScanSSH malware conducted brute-force attack against publicly accessible SSH servers allowing password-based SSH authentication.
The word list which the attackers use contains more than 7,000 username/password combinations. Once the malware discovered a valid credential set, a unique GoScanSSH malware binary is being created and uploaded to the compromised SSH server to be executed after that.
During the scanning process for vulnerable SSH servers, the GoScanSSH malware randomly generates IP addresses, avoiding special-use addresses. After that, the threat compares each IP address to a list of CIDR blocks which the malware will not attempt to scan due to the fact that they are government and military network ranges.
According to the researchers, GoScanSSH is developed to avoid ranges that are assigned to the U.S. Department of Defense, and only one of the network ranges is assigned to an organization in South Korea.
The security experts registered more than 70 unique malware samples associated with the GoScanSSH malware family, and some of the samples were compiled to support multiple system architectures including x86, x86_64, ARM and MIPS64.
There were also multiple versions (e.g, versions 1.2.2, 1.2.4, 1.3.0, etc.) of the threat, suggesting that the hackers behind GoScanSSH keep improving the malicious code.
The experts claim that the attackers are well resourced and with significant skills and they will probably try to compromise larger networks.
The creators of GoScanSSH have been active since June 2017 and since then, they have deployed 70 different malware versions using over 250 distinct C&C servers.
The passive DNS data analysis related to all of the C2 domains collected from all of the analyzed samples confirmed that the number of infected systems is currently low.
“In analyzing passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed, resolution attempts were seen dating back to June 19, 2017, indicating that this attack campaign has been ongoing for at least nine months. Additionally, the C2 domain with the largest number of resolution requests had been seen 8,579 times.” the Talos analysis reads.
