Research from Cisco’s Talos Intelligence Group is giving insight into a rather aggressive malware that targets public-facing SSH servers. The GoScanSSH malware, which surfaced in 2017, is so named because it targets SSH and was written in the Go programming language. Talos researchers noted numerous unique characteristics about this malware:
It is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.
Researchers found that the initial attack vector for GoScanSSH was more than likely brute-forcing SSH credentials against a public SSH server that permitted SSH authentication via passwords. This brute-forcing in particular involved 7,000 username and password combinations until a successful entry was achieved and the malware binary could be executed.
Talos discovered during the research of the username and password combinations (utilized in the brute-force attacks) something interesting. Consider the following sample list provided in the report:
These are all related to Linux in some way or another, which resulted in the report stating “the username/password combinations used by this malware appear to target weak or default credentials across a range of Linux-based devices.”
Furthermore, the malware is only attacking powerful servers of this type. A key function of the malware is determining not only the power of the server it infected but also to uncover other SSH servers that are vulnerable. While the motives of the attackers are not entirely clear, it appears that cryptocurrency mining could be one plausible choice. No matter what, GoScanSSH is an aggressive reconnaissance malware that could just be phase one of a major cyberattack.
Photo credit: Pixabay