GoScanSSH, a new strain of malware written in Golang (Go), has been targeting Linux-based SSH servers exposed to the internet — as long as those systems do not belong to the government or military.
In a new report, Cisco’s Talos Intelligence Group explained several other “interesting characteristics” of GoScanSSH, such as the fact that attackers create unique malware binaries for each host that is infected with the malware.
For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.
Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.
After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service “in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.”
The researchers determined the attack has been ongoing for at least nine months — since June 2017 — and has at least 250 domains; “the C2 domain with largest number of resolution requests had been seen 8,579 times.”
GoScanSSH malware scans for additional vulnerable SSH servers exposed to the internet that can be infected, but it goes out of its way to avoid military or government systems.
Submitted by: Arnfried Walbrecht