Researchers have revealed a malicious Go package posing as an SSH brute-force tool while secretly harvesting and exfiltrating login credentials to an attacker’s Telegram bot. The software, named golang-random-ip-ssh-bruteforce, was published on June 24, 2022, by a developer linked to an account called IllDieAnyway. Although the GitHub profile is now offline, the module remains accessible via Go’s official package registry.
- The module scans random IPv4 addresses looking for SSH services running on TCP port 22.
- It tries two usernames, “root” and “admin,” combined with a list of weak passwords including “root,” “test,” “password,” “admin,” “12345678,” “1234,” “qwerty,” “webadmin,” “webmaster,” “techsupport,” “letmein,” and “Passw@rd.”
How the Malware Collects Credentials
When the module successfully logs into a target server, it quickly sends the target’s IP address, username, and password to a Telegram bot called @sshZXC_bot. This bot operates through Telegram’s API, forwarding the stolen details to a user with the handle @io_ping. Because the Telegram API uses HTTPS, this data exfiltration blends seamlessly with regular web traffic, making it difficult to detect.
- The malware disables SSH host key verification by setting ssh.InsecureIgnoreHostKey as a callback, allowing connections without server identity checks.
- It continuously generates IPv4 addresses and attempts concurrent login attempts in an infinite loop.
- After the first successful credential capture, the module exits immediately to avoid detection.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Attacker Profile and Tactics
Archived records show the author previously released additional tools such as an IP port scanner, an Instagram parser, and a PHP command-and-control botnet called Selica-C2. Videos linked to the developer include guides on hacking Telegram bots and SMS bombers targeting users on Russian platforms.
- The attacker is assessed to be of Russian origin.
- The malicious module offloads scanning and password guessing to unwitting users, spreading risk while consolidating successful logins to a central Telegram bot.
Supply Chain Security Risks
The Trojanized Go module poses a serious supply chain threat. Developers unknowingly incorporating this code risk exposing credentials, as HTTPS-based exfiltration evades common network defenses.
