Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

Source: The Hacker News

Overview

Cybersecurity researchers have disclosed a malicious Go module that harvests passwords, creates persistent SSH access, and deploys a Linux backdoor known as Rekoobe.

The module, github.com/xinfeisoft/crypto, masquerades as the legitimate golang.org/x/crypto repository. It injects code that exfiltrates secrets entered via terminal password prompts to a remote endpoint, fetches a shell script in response, and executes it.

“This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto sub‑repository (and its GitHub mirror github.com/golang/crypto). The legitimate project identifies go.googlesource.com/crypto as canonical and treats GitHub as a mirror, a distinction the threat actor abuses to make github.com/xinfeisoft/crypto look routine in dependency graphs.” – Kirill Boychenko, Socket security researcher
Source

How the Backdoor Works

Credential Harvesting

The malicious code is placed in ssh/terminal/terminal.go. Whenever a victim application calls ReadPassword()—intended to read passwords from a terminal—the module captures the entered secret and sends it to a remote server.

Staging Script

The downloaded script acts as a Linux stager:

• Appends the attacker’s SSH public key to /home/ubuntu/.ssh/authorized_keys.
• Sets the default iptables policy to ACCEPT, loosening firewall restrictions.
• Retrieves additional payloads from an external server, disguising them with a .mp5 extension.

Payloads

1. Connectivity Helper – Tests internet connectivity and contacts IP 154.84.63[.]184 on TCP port 443. Likely used for reconnaissance or as a loader.

2. Rekoobe Backdoor – A known Linux trojan detected in the wild since at least 2015. It can receive commands from an attacker‑controlled server to:

   • Download further payloads
   • Steal files
   • Launch a reverse shell

   Rekoobe has been observed in attacks attributed to Chinese nation‑state groups such as APT31.

Mitigation and Recommendations

• The package remains listed on pkg.go.dev, but the Go security team has flagged it as malicious.
• Defenders should:
  • Audit Go dependencies for impostor modules that mimic legitimate namespaces.
  • Monitor for unexpected calls to ReadPassword() or other credential‑handling functions.
  • Restrict execution of remote scripts fetched via curl | sh pipelines.
  • Employ supply‑chain security tools that verify module provenance (e.g., checksum verification, signed releases).

“This campaign will likely repeat because the pattern is low‑effort and high‑impact: a look‑alike module that hooks a high‑value boundary (ReadPassword), uses GitHub Raw as a rotating pointer, then pivots into curl | sh staging and Linux payload delivery.” – Kirill Boychenko

References

• Socket blog post
• Rekoobe analysis – Intezer
• Rekoobe capabilities – TechEvo
• APT31 usage of Rekoobe – The Hacker News (Aug 2023)
• Historical detection – Dr.Web