A malicious Go module impersonates the legitimate "golang.org/x/crypto" library to steal passwords and deploy malware. It captures secrets entered via terminal prompts and executes a script that establishes persistent SSH access and retrieves additional payloads. One payload is the Rekoobe Linux backdoor, used by groups like APT31, which can execute commands, steal files, and create reverse shells. The main topics are a software supply chain attack using namespace confusion, the functionality of the malicious module and Rekoobe backdoor, and defensive warnings about similar future campaigns.
Cybersecurity researchers have disclosed details of a malicious Go module that's designed to harvest passwords, create persistent access via SSH, and deliver a Linux backdoor named Rekoobe.
The Go module, github[.]com/xinfeisoft/crypto, impersonates the legitimate "golang.org/x/crypto" codebase, but injects malicious code that's responsible for exfiltrating secrets entered via terminal password prompts to a remote endpoint, fetches a shell script in response, and executes it.
"This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto subrepository (and its GitHub mirror github.com/golang/crypto)," Socket security researcher Kirill Boychenko said. "The legitimate project identifies go.googlesource.com/crypto as canonical and treats GitHub as a mirror, a distinction the threat actor abuses to make github.com/xinfeisoft/crypto look routine in dependency graphs."
Specifically, the backdoor has been placed within the "ssh/terminal/terminal.go" file, so that every time a victim application invokes ReadPassword() – a function supposedly meant to read input like passwords from a terminal – it causes those interactive secrets to be captured.
The main responsibility of the downloaded script is to function as a Linux stager, appending a threat actor's SSH key to the "/home/ubuntu/.ssh/authorized_keys" file, set iptables default policies to ACCEPT in an attempt to loosen firewall restrictions, and retrieve additional payloads from an external server while disguising them with the .mp5 extension.
Of the two payloads, one is a helper that tests internet connectivity and attempts to communicate with an IP address ("154.84.63[.]184") over TCP port 443. The program likely functions as a recon or loader, Socket noted.
The second downloaded payload has been assessed to be Rekoobe, a known Linux trojan that has been detected in the wild since at least 2015. The backdoor is capable of receiving commands from an attacker-controlled server to download more payloads, steal files, and execute a reverse shell. As recently as August 2023, Rekoobe has been put to use by Chinese nation-state groups like APT31.
While the package still remains listed on pkg.go.dev, the Go security team has taken steps to block the library as malicious.
"This campaign will likely repeat because the pattern is low-effort and high-impact: a lookalike module that hooks a high-value boundary (ReadPassword), uses GitHub Raw as a rotating pointer, then pivots into curl | sh staging and Linux payload delivery," Boychenko said.
"Defenders should anticipate similar supply chain attacks targeting other 'credential edge' libraries (SSH helpers, CLI auth prompts, database connectors) and more indirection through hosting surfaces to rotate infrastructure without republishing code."
Meridiano
