Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and Apple macOS systems.
“The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers,” Socket researcher Kirill Boychenko said in a new report.
“These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly.”
While all of them continue to be available on the official package repository, their corresponding GitHub repositories barring “github[.]com/ornatedoctrin/layout” are no longer accessible. The list of offending Go packages is below –
- shallowmulti/hypert (github.com/shallowmulti/hypert)
- shadowybulk/hypert (github.com/shadowybulk/hypert)
- belatedplanet/hypert (github.com/belatedplanet/hypert)
- thankfulmai/hypert (github.com/thankfulmai/hypert)
- vainreboot/layout (github.com/vainreboot/layout)
- ornatedoctrin/layout (github.com/ornatedoctrin/layout)
- utilizedsun/layout (github.com/utilizedsun/layout)
The counterfeit packages, Socket’s analysis found, contain code to achieve remote code execution. This is achieved by running an obfuscated shell command to retrieve and run a script hosted on a remote server (“alturastreet[.]icu”). In a likely effort to evade detection, the remote script is not fetched until an hour has elapsed.
The end goal of the attack is to install and run an executable file that can potentially steal data or credentials.
The disclosure arrived a month after Socket revealed another instance of a software supply chain attack targeting the Go ecosystem via a malicious package capable of granting the adversary remote access to infected systems.
“The repeated use of identical filenames, array-based string obfuscation, and delayed execution tactics strongly suggests a coordinated adversary who plans to persist and adapt,” Boychenko noted.
“The discovery of multiple malicious hypert and layout packages, along with multiple fallback domains, points to an infrastructure designed for longevity, enabling the threat actor to pivot whenever a domain or repository is blacklisted or removed.”
