Researchers at Cisco's Talos Intelligence Group have identified a new malware family, dubbed GoScanSSH, that compromises SSH servers. Well, those not attached to government, law enforcement or military domains anyway.
Spotted during a routine incident response engagement, Talos researchers noticed a number of unusual attributes as far as GoScanSSH is concerned. That it is programmed using Go, a language created at Google and used in some of the search giant's production systems, being just one of them. The most striking is that, as part of the attack process, the malware is very careful to check for any of those aforementioned government, military or law enforcement domains.
GoScanSSH appears to leverage a SSH credential brute-force attack against Internet facing SSH server with password-based authentication. If successful, a unique malware binary is created for each valid credential set and uploaded to the compromised SSH server.
Assuming, that is, the initial scan doesn't reveal that the target IP is on an internal blacklist of government and military controlled entities. If it gets past this initial self-defensive checking and is able to establish a TCP connection to port 22 with an open SSH port, a reverse DNS lookup for websites and domains hosted by that IP for more credential attacks is initiated.
Assuming, that is, this reverse DNS scan doesn't reveal connections to domains including .gov, .gov.uk, .govt.uk, .mil, .mil.uk, .mod.uk, .army, .airforce, .navy, .police.uk as well .gov.au, .gov.il, .govt.za, .mil.nz, .mil.za, .parliament.nz, .muni.il and .idf.il
If any of these top level domains are revealed, then the scan is aborted. Only if these multiple checks are passed does the brute-forcing continue to expose further servers where the malware can be deployed via communication with a Command and Control server hidden behind Tor2Web proxies. Even then the unusual aspects of GoScanSSH continue, as the unique malware binary is installed manually by the threat actor logging into the newly compromised host.
There have been, Talos researchers reveal, as many as 70 unique samples associated with GoScanSSH since 19 June 2017 which is as far back as resolution attempts go according to passive DNS data analysis. Various devices are known to have been infected, including enterprise gateway routers. This all suggests that the malware is still in an evolutionary stage, an assumption that is further validated by the fact that there seems to be uncertainty regarding the actual payload intent (beyond further compromisable network discovery) of the threat actors.
Nicholas Griffin, Senior Cyber-security Specialist at Performanta, told SC Media UK that given the threat actor has made the effort to support multiple system architectures, invest in delivering a unique malware build to each target and has also been benchmarking the speed of each infected device, it all points to "an actor who is building a botnet-as-a-service for sale on underground criminal marketplaces" and continued "we may expect to see chatter related to this botnet begin to appear on dark web forums in the near future..." Other options include cryptomining, where the average of 200 days from compromise to detection gives plenty of time to mine a profit.
And what of the particular attention being paid to minimise any contact with government, military and law enforcement networks? Does this suggest an advanced threat actor behind the malware, doing everything to mitigate the chances of well-resourced investigation and legal proceedings? "Advanced actor might be a bit of an overreach" says Ian Thornton-Trump, Cyber Vulnerability & Threat Hunting Lead at Ladbrokes Coral Group plc "how about common sense actor instead?" Thornton-Trump explains that seeing as digital forensics and incident response, along with detective and investigative capability, is arguably most established in the .gov, .mil and law enforcement spaces would make such precautions sensible from the criminal perspective.
"The vigilance of these organisations is driven not only by the sensitivity of the information" Thornton-Trump concludes "but also a desire to not be politically embarrassed. Given the level of paranoia of nation state actor targeting .gov .mil and law enforcement it makes sense for any entrepreneurial cyber-criminal to avoid drawing the wrath of those organisations."
And finally, Dan Matthews, Director of Engineering at Lastline advises enterprises to "enable multi-factor authentication for services such as VPN's, SSH servers and web/cloud-based email services which are reachable from the Internet."
