On 26 of March, researchers from Talos published an informative article, revealing a new malware family. The discovery was made during a recent Incident Response (IR) engagement. Specialists figured out that a malware dubbed GoScanSSH targeted SSH servers which were exposed to the Internet. The analysis of GoScanSSH structure revealed that the malware is written in the Golang programming language and contains several unique features. Even though researchers have seen malware which is written in this language, hackers are keener to select other languages for their malicious products.
Hackers used a password/username combinations
An SSH credential brute-force attack against SSH servers is probably the technique, used to deliver the GoScanSSH malware. It appears that hackers had over 7,000 username/password combinations which were used during the attack. Once a set of credentials works for a SSH server, the dangerous binary of GoScanSSH malware is uploaded to the server. Specialists explain that crooks targeted weak password/username combination across a range of Linux-based devices.
Therefore, GoScanSSH malware has been described as threat to Linux-based systems. According to researchers from Talos, they managed to discover over 70 different samples of this malware family. Since people have observed multiple version of this threat, it is clear that crooks are regularly updating/improving their malicious masterpiece.
Other features of GoScanSSH malware
Talos specialists also explain that the GoScanSSH malware is designed to evaluate the powerfulness of the infected system: “this is accomplished by determining how many hash computations can be performed within a fixed time interval”. The results are delivered to hackers’ C2 server, accessed via the Tor2Web Proxy. This is done for the purpose of keeping the malware a secret from anti-malware tools and other detectors.
The Talo specialists estimate that the GoScanSSH malware has been active since the summer of 2017. During this time, the infection compromised more than 250 domains. However, the creators of this malicious threat were trying to avoid military and government systems. As such systems might be more properly protected, hackers probably were not interested in risking exposure. Therefore, malware black lists domains that include: .gov, .mil, .police.uk and etc.
Source: blog.talosintelligence.com .
