Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

GoScanSSH Malware Targets Linux Servers

A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns.

A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns.

Dubbed GoScanSSH because it compromises SSH servers exposed to the Internet, the malware’s command and control (C&C) infrastructure leverages the Tor2Web proxy service to prevent tracking and takedowns.

The malware operators, Talos believes, had a list of more than 7,000 username/password combinations they would use to authenticate to the servers, after which they would create a unique GoScanSSH binary to upload and execute on the server.

The actors behind this threat would target weak or default credentials used across a variety of Linux-based devices. Usernames used in the attack include admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

The credential combinations used in these attacks targeted Open Embedded Linux Entertainment Center (OpenELEC); Raspberry Pi; Open Source Media Center (OSMC); jailbroken iPhones; Ubiquiti device, PolyCom SIP phone, Huawei device, and Asterisk default credentials; and various keyboard patterns and well-known commonly used passwords.

Talos discovered over 70 unique GoScanSSH samples compiled to target multiple system architectures (x86, x86_64, ARM, and MIPS64).

Following infection, the malware attempts to determine how powerful the infected system is by determining how many hash computations it can perform within a fixed time interval. The malware sends the information to the C&C, along with basic information about the machine and a unique identifier.

The malware was designed to access Tor-hosted C&C domains using the Tor2Web proxy service, without the need of installing the Tor client on the compromised system. The communication between the bot and the server is authenticated to ensure it cannot be hijacked.

GoScanSSH can scan and identify vulnerable SSH servers exposed to the Internet. For that, it randomly generates IP addresses, but avoids special-use addresses, such as those assigned to the U.S. Department of Defense or to an organization in South Korea.

The malware attempts to establish a TCP connection to the selected IP address and, if that succeeds, it checks if the IP address resolves to a domain name. If that is true, it checks if the domain is related to a government or military entity and t
erminates the connection if that happens.

Before starting the SSH scanning activity, the malware waits for a response from the C&C server and activates a sleep function if that doesn’t happen.

Due to an increase in the number of attempts to resolve one of the C&C domains, Talos believes the number of compromised hosts is increasing. They also discovered some resolution attempts dating back to June 19, 2017, suggesting that the campaign has been ongoing for at least nine months.

The C&C with the largest number of requests had been seen 8,579 times. The security researchers discovered a total of 250 domains associated with the malware’s activity.

“These attacks demonstrate how servers exposed to the internet are at constant risk of attack by cybercriminals. Organizations should employ best practices to ensure that servers they may have exposed remain protected from these and other attacks that are constantly being launched by attackers around the world. Organizations should ensure that systems are hardened, that default credentials are changed prior to deploying new systems to production environments, and that these systems are continuously monitored for attempts to compromise them,” Talos concludes.

Related: Linux Malware Could Run Undetected on Windows: Researchers

Related: Linux Malware Targets Raspberry Pi for Cryptocurrency Mining

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.