Researchers had discovered a new strain of malware that targets vulnerable Linux-based systems. During the malware analysis on this malware, researchers have seen implemented an exciting habit of avoiding government and military networks.
This malware is named GoScanSSH, and it is being used in a widespread campaign that includes more than 70 unique malware. Its primary purpose is to infect as many devices as possible to create a botnet network for future use in more damaging attacks.
Targets are accessed using an SSH-credential brute-force attack against publicly accessible SSH servers.
Every system can be protected from this type of attacks by installing cybersecurity solutions. To be protected against malware, depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac. If you are a company always hire a professional cybersecurity firm to do regular checkups to your internal network multiple times per year. These checkups must always include a penetration test and various ethical hacking tests.
During the initial brute-force attack, the cybercriminals used a word list containing more than 7,000 username/password combinations. Once a valid credential successfully authenticates, a single GoScanSSH malware binary is created and uploaded to the compromised SSH server. After the upload is done, the malware is executed, and then the system is infected.
GoScanSSH malware will determine how robust the infected system is and assigns it a unique identifier, which is sent to the C&C server. Its next move is to initiate an SSH scanning activity to find additional vulnerable SSH servers exposed to the internet.
Interestingly is that It specifically avoids IP addresses assigned to the US. Department of Defense and several in South Korea and for now the reason for this is unclear. One theory is that the cybercriminals know that nation-states are resourced and have the political and networking connections to perform accurate attribution and by doing this they choose to stay away from such problems.
Companies should use best practices to ensure that servers they have remain protected, providing that systems are hardened with a cybersecurity solution. To be protected against malware, you must install an antivirus for Windows or antivirus for Mac, depending on which version of OS your device runs. Companies should verify their networks at least once a year by hiring professionals to do a penetration test and various ethical hacking tests. The best thing any company can do to protect against password reuse attacks is to enable some multifactor authentication for services such as VPNs, SSH servers, and web/cloud-based email services, which are reachable from the internet.