Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

Cybersecurity Alert: Malicious Go Module Steals Passwords and Deploys Rekoobe Linux Backdoor

In a sophisticated supply chain attack, cybersecurity researchers have uncovered a malicious Go module that impersonates a legitimate cryptographic library to harvest passwords and deploy the notorious Rekoobe Linux backdoor. This campaign highlights the growing threat of namespace confusion attacks targeting open-source software ecosystems.

The Impersonation Scheme

The malicious package, hosted at github[.]com/xinfeisoft/crypto, carefully mimics the legitimate golang.org/x/crypto codebase. This impersonation exploits the fact that GitHub treats the official Go crypto library as a mirror, allowing threat actors to create convincing doppelgängers that blend seamlessly into dependency graphs.

Socket security researcher Kirill Boychenko revealed that the malicious module injects code into the “ssh/terminal/terminal.go” file, specifically targeting the ReadPassword() function. This function, designed to securely read password input from terminals, becomes the attack’s entry point. Every time an application invokes ReadPassword(), the malicious code captures the entered credentials and exfiltrates them to a remote endpoint.

The Multi-Stage Attack Chain

Once passwords are harvested, the module fetches a shell script from the attacker’s infrastructure. This script serves as a Linux stager with several malicious functions:

First, it appends the attacker’s SSH key to the “/home/ubuntu/.ssh/authorized_keys” file, establishing persistent backdoor access. Second, it modifies iptables default policies to ACCEPT, effectively disabling firewall protections. Finally, it downloads additional payloads disguised with the .mp5 extension from external servers.

The Rekoobe Connection

Among the downloaded payloads, researchers identified the Rekoobe Linux backdoor—a sophisticated malware family that has been active since at least 2015. Rekoobe, also known as LightAgent, is a cross-platform trojan capable of receiving commands from attacker-controlled servers to download additional payloads, steal files, and execute reverse shells.

The malware’s capabilities make it particularly dangerous for enterprise environments. Once installed, Rekoobe can maintain persistent access, exfiltrate sensitive data, and serve as a launchpad for further attacks. Security firms have documented Rekoobe’s use by Chinese nation-state groups, including APT31, as recently as August 2023.

The Broader Implications

This attack demonstrates how threat actors exploit the trust inherent in open-source software ecosystems. By impersonating legitimate packages and targeting credential-gathering functions, attackers can compromise development environments and downstream applications with minimal detection.

The Go security team has blocked the malicious package, but it remains listed on pkg.go.dev, highlighting the challenges of maintaining package repository security. Boychenko warns that this campaign represents a low-effort, high-impact pattern likely to be repeated against other credential-sensitive libraries.

Defensive Recommendations

Organizations should implement rigorous dependency verification processes, including checksum validation and package signing verification. Developers should scrutinize dependency graphs for suspicious packages, particularly those that closely resemble legitimate libraries. Network monitoring should watch for unusual outbound connections, especially to infrastructure associated with known malicious activity.

This incident serves as a stark reminder that supply chain security requires constant vigilance, as attackers continue to refine techniques that exploit the interconnected nature of modern software development.

Viral Tags: #CybersecurityBreach #SupplyChainAttack #LinuxMalware #PasswordStealing #RekoobeBackdoor #GoLangSecurity #APT31 #NamespaceConfusion #OpenSourceThreat #CredentialHarvesting #MalwareAlert #CyberEspionage #SoftwareSupplyChain #DevSecOps #ThreatIntelligence

Viral Phrases: “Malicious Go module steals passwords,” “Rekoobe Linux backdoor deployed,” “Supply chain attack targets credential edge,” “Namespace confusion impersonation scheme,” “Persistent SSH backdoor access established,” “Chinese APT31 group suspected,” “Low-effort high-impact pattern,” “Credential-gathering functions compromised,” “Open-source ecosystem under attack,” “Software supply chain vulnerability exposed.”

,