Security researchers at Cisco Talos recently discovered a new malware that targets vulnerable Linux-based systems and conducts separate IP and DNS lookups to avoid targeting SSH servers owned by government or military entities.
Named GoScanSSH by the researchers, the new malware, unlike other malware that target SSH servers with open ports, is written using the Golang programming language which, according to Dan Matthews, director of engineering at Lastline, is an “efficient/cross-platform/modern/cool programming language”.
Avoiding government domains
The researchers noted that the creators of GoScanSSH malware went to great lengths to ensure that the malware infrastructure isn’t tracked by governments or security experts. Firstly, the GoScanSSH command and control infrastructure leverages the Tor2Web proxy service to make tracking the attacker-controlled infrastructure more difficult and secondly, the malware carries out separate IP and DNS lookups before infecting an open SSH server so as to avoid government and military domains.
They added that by leveraging Tor2Web, attackers can host their C2 infrastructure within the Tor network, without requiring them to include additional Tor functionality within their malware.
“It is difficult to fully get inside the head of attackers, but one theory could be that the attackers know that nation-states are resourced and have the political and networking connections to perform accurate attribution,” Matthews added.
According to the researchers at Cisco Talos, the GoScanSSH malware is used by its developers to carry out brute-force attacks against publicly accessible SSH servers across a range of Linux-based devices that allow password-based SSH authentication and are protected by weak or default passwords.
Their research also reveals the existence of more than 70 unique malware samples associated with the GoScanSSH malware family that support multiple system architectures including x86, x86_64, ARM and MIPS64. The presence of multiple versions of the malware in the wild also indicates that its developers are actively upgrading the malware as we speak.
After targeting a publicly-accessible SSH server, the malware first checks if a random IP address it generated is a special-use address as such addresses are often used by government or military entities. If it is, the malware generates a new IP address and then attempts to establish a TCP connection on port 22.
Once a connection is established, GoScanSSH performs a reverse lookup to check if any domain associated with the IP address is among a list of domains associated with government and military entities. If it is, it discards the IP and generates a new one. However, if an IP address is not associated with a government-owned domain, the malware uses a wordlist containing username and password combinations to obtain valid SSH credentials to infiltrate the system.
If the malware succeeds in guessing the correct credentials, it reports back to a command & control server and its developers then create a new malware binary specifically for the compromised system and start to infect a new host.
How to protect SSH servers from password-reuse attacks?
“The best thing any organization can do to protect against password reuse attacks is to enable some type of multi-factor authentication, particularly for services such as VPN’s, SSH servers and web/cloud-based email services which are reachable from the internet,” Matthews said.
According to researchers at Cisco Talos, the infection process used by GoScanSSH to infiltrate public-facing SSH servers with default or weak credentials demonstrates how servers exposed to the Internet are at constant risk of attack.
“Organizations should employ best practices to ensure that servers they may have exposed remain protected from these and other attacks that are constantly being launched by attackers around the world.
“Organizations should ensure that systems are hardened, that default credentials are changed prior to deploying new systems to production environments, and that these systems are continuously monitored for attempts to compromise them,” they added.