29 March 2018
GoScanSSH, a new strain of malware written on Golang language has been targeting Linux-based SSH servers exposed to the internet as long as those systems do not belong to the government or military.
An interesting characteristic about GoScanSSH is the fact that attackers create unique binaries for each host that is infected with the malware. Since researches have spotted several versions of the malware, it suggests that the malware authors are still actively developing and improving this new strain.
For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices using the following usernames to attempt to authenticate to SSH servers: admin, guest, test, user and Ubuntu.
After a device is infected, the malware determines how powerful the infected machine is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service. The researchers determined the attack has been ongoing for at least nine months, since June 2017 with at least 250 domains used.
GoScanSSH malware scans for additional vulnerable SSH servers exposed to the internet that can be infected. The scanning and identifying of additional vulnerable servers is performed by first randomly generating an IP address. The malware then compares the IP address to a list of blacklist IPs. If the IP address matches the blacklist IP, it is discarded and a new IP address is generated.
The malware then connects to the IP address via TCP/22, it then performs a reverse DNS lookup to determine it the IP address is related to a domain, then that domain is checked against a list of domains to make sure it is not related to government and military entities. If it is related, the IP is discarded and a new IP is generated.
The process of a typical GoScanSSH infection
- An already infected device selects a random IP
- The malware checks if the selected IP is on one of two IP blacklists (one with special-use addresses and one with IP ranges primarily controlled by various government and military entities)
- GoScanSSH scans the IP on port 22, looking for an open SSH port
- If the IP has an open SSH port, the malware runs a reverse DNS lookup to see if the IP hosts any websites/domains
- If the IP hosts a website, GoScanSSH runs the found domains against a second blacklist.
- This second scan checks if the domains have any of the following TLDs — .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, .govt.uk, .mod.uk, .gov.au, .govt.nz, .mil.nz, .parliament.nz, .gov.il, .muni.il, .idf.il, .gov.za, .mil.za, .gob.es, .police.uk
- If the IP hosts any government, military, or law enforcement domain, GoScanSSH moves to a new IP address
- If the scanned IP is not on any of the two blacklists, the malware launches a dictionary brute-force attack in an attempt to guess the SSH credentials
- The malware uses a list of over 7,000 user-password combos
- Most combos are specific to Linux-based devices, while some combos are just the most common user-password combinations
- When the malware finds the remote device's SSH credentials, it reports back to its C&C server located on the Dark Web (communications occur via Tor2Web proxies)
- Crooks put together a unique version of the GoScanSSH malware binary
- They then log into the new devices manually and install this new GoScanSSH malware
- Malware runs a series of hash computations to determine the device's hardware capabilities and reports back to the C&C server
- GoScanSSh starts a scan for other devices to infect
Mitigation Strategies and Recommendations
- GoScanSSH’s current methodologies do not allow it to infect systems that support additional authentication methods.
- While GoScanSSH obfuscates the communication channel to its C2, the existence of an infection can be given away by the large number of resolution requests the malware makes. In one test, the malware was seen attempting to connect to its C2 8579 times.
- System administrators should be vigilant for sudden, unanticipated traffic spikes over TCP/22- the protocol used by the malware.
These attacks demonstrate how servers exposed to the internet are at constant risk of attack by cybercriminals. Organizations should employ best practices to ensure that servers they may have exposed remain protected from these and other attacks that are constantly being launched by attackers around the world. Organizations should ensure that systems are hardened, that default credentials are changed prior to deploying new systems to production environments, and that these systems are continuously monitored for attempts to compromise them.
For more information in connection with the above or BIRGER. Cyber Defense Center (CDC) services, powered by Symantec, please contact Waziim Dilmahomod on:
T:  601 6819 (hotline) or 601 6820