Researchers have identified a deceptive Go module that mimics a legitimate library to steal passwords and establish permanent access on Linux systems. By disguising itself as a standard encryption dependency, the malware captures terminal inputs and installs a backdoor known as Rekoobe to facilitate remote control.
A malicious Go module hosted at github.com/xinfeisoft/crypto has been discovered posing as the official golang.org/x/crypto library. The attacker utilized a namespace confusion tactic, taking advantage of the fact that many developers treat GitHub mirrors as canonical sources. By using a similar naming convention, the module appears routine in project dependency graphs while secretly containing code designed to exfiltrate sensitive data to a remote server.
The core of the infection lies in a modification to the ssh/terminal/terminal.go file. Whenever a victim application calls the ReadPassword function to handle secure inputs, the malicious code intercepts the credentials. This allows the threat actor to harvest passwords directly from the terminal as users type them, effectively bypassing standard encryption protections by capturing the data at the point of entry.
Once the module is active, it reaches out to a remote endpoint to download and execute a shell script that functions as a Linux stager. This script is designed to ensure the attacker maintains long-term access to the compromised machine. It achieves this by appending the actor's own SSH key to the authorized_keys file and altering iptables firewall policies to allow all incoming traffic, significantly weakening the system's security posture.
The stager also retrieves additional payloads disguised with a misleading .mp5 file extension to avoid immediate detection. One of these payloads acts as a connectivity tester and reconnaissance tool, attempting to establish communication with a hardcoded IP address over port 443. This component serves as a loader, verifying that the infected host can reach the command-and-control infrastructure before further malicious actions are taken.
The ultimate goal of this campaign is the deployment of Rekoobe, a sophisticated Linux backdoor. By combining credential harvesting with persistent SSH access and weakened firewall settings, the threat actors create a reliable environment for ongoing surveillance and data theft. This discovery highlights the persistent risks within the open-source ecosystem, where small, targeted changes to familiar libraries can lead to total system compromise.
Source: Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor