Privacy News Forgot About Default Accounts? No Worries, GoScanSSH Didn’t

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.

Among others, these credential combinations specifically targeted the following:
  • Open Embedded Linux Entertainment Center (OpenELEC)
  • Raspberry Pi
  • Open Source Media Center (OSMC)
  • Ubiquiti device default credentials
  • Jailbroken iPhones
  • PolyCom SIP phone default credentials
  • Huawei device default credentials
  • Asterisk default credentials
  • Various keyboard patterns
  • Well-known commonly used passwords
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top