BACK TO NEWS
Breaking News

Malicious Go Crypto Module Targets Linux Systems with Password Theft, Rekoobe Backdoor

2 min readSource: The Hacker News

Researchers uncover a trojanized Go module impersonating golang.org/x/crypto, stealing credentials and deploying the Rekoobe Linux backdoor for persistent access.

Malicious Go Module Exfiltrates Credentials, Deploys Rekoobe Backdoor

Cybersecurity researchers have identified a malicious Go module designed to harvest terminal passwords, establish persistent SSH access, and deploy the Rekoobe Linux backdoor. The module, hosted at github[.]com/xinfeisoft/crypto, masquerades as the legitimate golang.org/x/crypto repository but contains obfuscated code to exfiltrate sensitive data.

Technical Details

The trojanized module leverages the trusted namespace of the official Go cryptography library to evade detection. Once integrated into a victim’s environment, it:

  • Captures terminal passwords entered via standard input, including SSH and sudo credentials.
  • Establishes persistent access by modifying SSH configurations or injecting malicious keys.
  • Deploys Rekoobe, a lightweight Linux backdoor known for its stealth and remote command execution capabilities.

The malicious code is embedded within the module’s source, disguising itself as legitimate cryptographic functions while executing additional payloads in the background.

Impact Analysis

This attack poses significant risks to Linux-based systems, particularly in development and production environments where Go modules are frequently used. Key concerns include:

  • Credential theft: Compromised passwords could grant attackers access to sensitive systems, databases, or cloud infrastructure.
  • Persistent backdoor access: Rekoobe enables long-term control over infected hosts, facilitating data exfiltration or lateral movement.
  • Supply chain risks: Developers inadvertently pulling the malicious module could unknowingly introduce vulnerabilities into their projects.

Recommendations

Security teams should take the following steps to mitigate risks:

  1. Verify module sources: Audit Go dependencies to ensure they originate from official repositories (e.g., golang.org/x/crypto).
  2. Monitor for suspicious activity: Detect unusual SSH connections or password prompts in terminal sessions.
  3. Update detection rules: Incorporate indicators of compromise (IoCs) associated with github[.]com/xinfeisoft/crypto and Rekoobe into threat intelligence feeds.
  4. Isolate affected systems: If the module is detected, quarantine impacted hosts and rotate exposed credentials.

For further details, refer to the original disclosure by The Hacker News.

Share

TwitterLinkedIn