Researchers have identified a new malware family, dubbed GoScanSSH, that targets public facing SSH servers, but avoids those linked to government and military IP addresses.
The malware has been in the wild since June 2017 and exhibits a number of unique characteristics, such as being written in the Go (Golang) programming language, avoiding military targets and tailoring malware binaries for each target, according to Cisco Talos, which first identified the malware and posted research about it on Monday.
Researchers said the initial infection vector for GoScanSSH malware is brute-force attacks against publicly accessible SSH servers that allow password-based SSH authentication. “These attacks demonstrate how servers exposed to the internet are at constant risk of attack by cybercriminals,” wrote Edmund Brumaghin, Andrew Williams and Alain Zidouemba, who co-authored the Talos report.
“Once [the attacker] has…determined that the selected IP address is an ideal candidate for additional attacks, the malware attempts to obtain valid SSH credentials by attempting to authenticate to the system,” Cisco Talos researchers said. Attackers use a word list containing more than 7,000 username/password combinations, they said.
Username/password combinations used, researchers said, indicate attackers are targeting SSH servers with weak or default credentials on Linux-based devices. Based on credentials used, they believe OpenELEC, Raspberry Pi, jailbroken iPhones and Huawei devices are in the attacker’s crosshairs.
Cisco Talos has said it has identified 70 unique malware samples associated with the GoScanSSH malware family. Each sample uses custom compiled binaries to support the targeted platforms, which range from system architectures that use the microprocessor families x86, x86_64, ARM and MIPS64.
“Talos has also observed multiple versions (e.g, versions 1.2.2, 1.2.4, 1.3.0, etc.) of this malware active in the wild, indicating that this threat is continuing to be actively developed and improved upon by the attackers,” they warned.
Post infection, the malware first attempts to establish how powerful the server is by running a number of hash computations at fixed intervals. Cisco researchers don’t offer any explanation as to why attackers are looking for powerful systems. Typically, cryptocurrency mining operations would want that type of reconnaissance data, but given default credentials that appear to be targeting weaker Huawei devices, jailbroken iPhones and Raspberry Pi systems, it’s unclear what the attacker’s objectives are.
Data is transmitted between the infected host and the attacker’s C2 server via the Tor2Web proxy service. “This service allows systems on the standard internet to access resources hosted on Tor without requiring the system to install a Tor client… By leveraging Tor2Web, attackers can host their C2 infrastructure within the Tor network, without requiring them to include additional Tor functionality within their malware,” Talos said.
Researchers said the main function of the GoScanSSH malware is identifying additional vulnerable SSH servers. “Talos believes the attacker then compiles a new malware binary specifically for the compromised system, and infects the new host, causing this process to repeat on the newly infected system,” they said.