GoScanSSH malware targets Linux systems but avoids government servers

A new strain of malware aimed at Linux-based SSH servers is actively trying to avoid infecting government or military systems.

GoScanSSH, a new strain of malware written in Golang (Go), has been targeting Linux-based SSH servers exposed to the internet — as long as those systems do not belong to the government or military.

In a new report, Cisco’s Talos Intelligence Group explained several other “interesting characteristics” of GoScanSSH, such as the fact that attackers create unique malware binaries for each host that is infected with the malware

The researchers first learned the malware had infected an Ubiquiti Enterprise Gateway Router; they have since discovered more than 70 unique GoScanSSH malware samples. After finding multiple versions of the malware in the wild, they warned that “this threat is continuing to be actively developed and improved upon by the attackers.”

Usernames and targeted devices

For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.

After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service “in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.”

The researchers determined the attack has been ongoing for at least nine months — since June 2017 — and has at least 250 domains; “the C2 domain with largest number of resolution requests had been seen 8,579 times.”

GoScanSSH malware scans for additional vulnerable SSH servers exposed to the internet that can be infected, but it goes out of its way to avoid military or government systems. Talos explained that the scanning and identifying of additional vulnerable servers “is performed by first randomly generating an IP address, avoiding special-use addresses.”

It then compares the IP address to a list of CIDR blocks that the malware will not attempt to scan. The contents of this list are network ranges primarily controlled by various government and military entities, specifically avoiding ranges assigned to the U.S. Department of Defense as listed here. Additionally, one of the network ranges in the list is assigned to an organization in South Korea. If the selected IP falls into these network ranges, it is discarded and a new IP address is generated.

If the malware can connect to the IP address via TCP/22, it performs a reverse DNS lookup to determine if the IP address is related to a domain. If it is related to a domain, then that domain is checked against a list of domains to make sure it isn’t related to government and military entities. If it is related, then the IP is changed.

Government and military on GoScanSSH’s domain blacklist

Talos provided both an IP blacklist and a domain blacklist that the malware uses to determine if it should continue attempts to compromise the system. Some of those domains include: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.

If the system or device is on neither set of blacklists, Talos “believes the attacker then compiles a new malware binary specifically for the compromised system and infects the new host, causing this process to repeat on the newly infected system.”

The researchers intend to continue monitoring and tracking the attack. If interested, they provided the blacklists, IOCs, domains associated with the malware and additional technical details about GoScanSSH.