- Someone bifurcó a popular database module and equipped it with malware
- Malicious bifurcado was stored in cache and stored indefinitely
- Then I was creatively hidden in view of Go Go developers
Apparently, they warned a software supply chain attack aimed at developers on the Go platform, it was hiding in sight for three years to spread malware, experts warned.
Socket Security cybersecurity researchers discovered and talked publicly about the campaign, which began in 2021, when someone took a relatively popular database module called Boltdb in Github and Bifurcó. In bifurcation, they added malicious code, which gave the attacker back door to compromised computers.
That instance was stored in cache indefinitely by the mirror service of the Go module.
Abuse Go mirror module
For those who are not familiar with Go Module Mirror, it is a proxy service operated by Google that stores and serves Go modules to improve reliability, availability and performance. Ensures that Go modules remain accessible even if the original source is modified, eliminated or temporarily not available.
After storing the instance, the attacker changed the git labels in the origin repository, to redirect visitors to the benign version, essentially hiding the malware in sight.
“Once installed, the rear package grants the remote access of the threat actor to the infected system, which allows them to execute arbitrary commands,” said security researcher Kirill Boychenko in his report.
Talking with ThehackernewsSocket said that this is one of the first registered cases of threat actors who take advantage of the mirror service of the Go module.
“This is possible because git labels are mutable unless they are explicitly protected,” said Socket. “The owner of a repository can eliminate and reassign a label for a different confirmation at any time. However, the proxy of the GO module had already stored in cache the original malicious version, which was never updated or eliminated from the proxy, allowing the persist attack. “
The malicious version ended permanently through the proxy of the Go module, Boychenko explained. “While this design benefits legitimate cases, the threat actor exploded it to persistently distribute the malicious code despite the changes after the repository.”
Boychenko said he reported his findings and expects the elimination of malicious content: “From this publication, the malicious package remains available in the proxy of the Go Module. We have requested its elimination from the module mirror and we have also reported the repository and github account of the threat actor, which were used to distribute the Boltdb-Go rear package. “
