Malicious Go module for SSH brute-forcing

Researchers have discovered a malicious Go module, "golang-random-ip-ssh-bruteforce," that pretends to be an SSH brute-force tool while secretly exfiltrating credentials to a Telegram bot. Linked to an inaccessible GitHub account, the module scans random IPv4 addresses for exposed SSH services and attempts to brute-force them using a hardcoded list of common usernames and weak passwords.

Malicious Go module for SSH brute-forcingMalicious Go module for SSH brute-forcing

Upon a successful login, it sends the target IP address, username, and password to the threat actor's Telegram bot, "@sshZXC_bot." The malware disables host key verification, allowing connections to any server, and runs in an infinite loop to maximize login attempts.

Malicious Go module for SSH brute-forcingMalicious Go module for SSH brute-forcing

The threat actor, believed to be of Russian origin, uses this module to offload scanning to unsuspecting operators while funneling successful logins to a single bot, making the traffic appear as normal web requests and evading detection.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security