Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor
Summary
A malicious Go module, disguised as a legitimate crypto library, steals passwords entered in the terminal and deploys the Rekoobe backdoor on Linux systems. The module, github[.]com/xinfeisoft/crypto, mimics the 'golang.org/x/crypto' codebase but contains malicious code for data exfiltration and backdoor deployment.
IFF Assessment
The malicious module poses a threat to developers and users by stealing credentials and installing a backdoor, compromising system security.
Defender Context
This attack highlights the risks of using third-party modules without proper verification, as malicious actors can use typosquatting or impersonation to distribute malware. Defenders should implement strong dependency management practices, including verifying module integrity and using tools to detect malicious code in dependencies. Monitoring for suspicious network connections and processes can help identify systems compromised by the Rekoobe backdoor.