A Supply Chain Attack Hiding in Plain Sight
A malicious Go module named github.com/xinfeisoft/crypto has been discovered impersonating the widely-used golang.org/x/crypto library. The module intercepts SSH password input, exfiltrates credentials to attacker infrastructure, and deploys the Rekoobe backdoor — a Linux trojan historically linked to the Chinese state-sponsored group APT31.
The Go security team has since blocked the package on pkg.go.dev, but the attack highlights a growing trend: supply chain compromises targeting developer toolchains rather than production systems directly.
How the Attack Works
Phase 1: Credential Theft via ReadPassword() Hook
The backdoor is embedded in ssh/terminal/terminal.go, specifically in the ReadPassword() function. Any application importing this module that prompts for SSH passwords will silently send captured credentials to an attacker-controlled endpoint.
This is particularly dangerous because ReadPassword() is a trusted function used by thousands of Go applications for secure terminal input. Developers importing what appears to be a legitimate crypto library would have no visual indication of compromise.
Phase 2: Shell Script Delivery
After exfiltrating credentials, the module fetches and executes a shell script from attacker infrastructure. The script performs three actions:
- Appends threat actor SSH public keys to
/home/ubuntu/.ssh/authorized_keysfor persistent access - Modifies
iptablesdefault policies to ACCEPT, effectively disabling the host firewall - Downloads additional payloads disguised with
.mp5file extensions
Phase 3: Rekoobe Backdoor Deployment
The final payload is Rekoobe, a Linux backdoor active since 2015 and recently linked to APT31 (August 2023 attribution). Rekoobe provides:
- Remote command execution
- File exfiltration
- Reverse shell capability
- Additional malware staging
A secondary payload tests connectivity to 154.84.63.184 over TCP/443, likely functioning as a C2 beacon or payload loader.
Detection & Hunting
MITRE ATT&CK Mapping
| Technique | ID | Description |
|---|---|---|
| Supply Chain Compromise | T1195.001 | Malicious Go module impersonating legitimate library |
| Input Capture | T1056.001 | ReadPassword() hook capturing SSH credentials |
| Account Manipulation: SSH Keys | T1098.004 | Injecting authorized_keys for persistence |
| Impair Defenses: Disable Firewall | T1562.004 | iptables policy set to ACCEPT |
| Ingress Tool Transfer | T1105 | Downloading Rekoobe and secondary payloads |
| Command and Scripting | T1059.004 | Shell script execution for staging |
Sigma Rule: Detect Unauthorized authorized_keys Modification
title: Unauthorized SSH Authorized Keys Modification
status: experimental
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: '/.ssh/authorized_keys'
filter_known:
Image|endswith:
- '/usr/bin/ssh-copy-id'
- '/usr/sbin/sshd'
condition: selection and not filter_known
level: high
tags:
- attack.persistence
- attack.t1098.004
Sigma Rule: Detect iptables Policy Reset to ACCEPT
title: Firewall Policy Reset to ACCEPT
status: experimental
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'iptables'
- '-P'
- 'ACCEPT'
condition: selection
level: critical
tags:
- attack.defense_evasion
- attack.t1562.004
IOCs
| Type | Value | Context |
|---|---|---|
| Go Module | github.com/xinfeisoft/crypto | Malicious impersonation package |
| IP Address | 154.84.63.184 | C2 beacon / payload loader (TCP/443) |
| File Path | ssh/terminal/terminal.go | Backdoored ReadPassword() function |
| File Extension | .mp5 | Disguised payload downloads |
Mitigation Steps
-
Audit Go dependencies immediately. Run
go list -m alland search forxinfeisoftin your module graph. The legitimate crypto package isgolang.org/x/crypto, not any GitHub mirror. -
Pin module checksums. Use
go.sumverification andGONOSUMCHECKshould never include crypto libraries. EnableGOFLAGS=-mod=readonlyin CI. -
Monitor authorized_keys changes. Deploy file integrity monitoring (FIM) on
~/.ssh/authorized_keysacross all Linux hosts. - Alert on iptables policy changes. Any process resetting iptables default policy to ACCEPT outside of maintenance windows is a high-confidence indicator.
-
Hunt for Rekoobe indicators. Scan for outbound connections to
154.84.63.184:443and unusual.mp5file downloads in proxy logs.
Attacker Perspective
This attack demonstrates an increasingly common pattern: compromise the developer, not the server. By targeting the build pipeline, attackers achieve code execution inside the trust boundary before any runtime security control can intervene. The choice of ReadPassword() as the hook point is tactically sound — it guarantees execution only when handling sensitive input, reducing noise and avoiding detection during testing.
Red teams should note: supply chain attacks via typosquatted or impersonation packages remain highly effective against organizations that lack dependency pinning and build-time integrity checks.
Actionable Summary
-
Immediate: Audit all Go projects for
xinfeisoftmodule references - Short-term: Deploy FIM on SSH key files and iptables monitoring
- Long-term: Implement dependency pinning, SBOM generation, and build provenance verification (SLSA Level 2+)
Need help assessing your exposure? Apply to our Beta Tester Program at theinsider-x.com for a comprehensive penetration test.
Top comments (0)