A supply-chain attack targets the Linux server, which targets the disc-wiping malware hidden in the Gold Module published on the zethab.
The expedition was detected last month and included “highly objected codes” to retrieve and execute the remote payload.
Full disk destruction
This attack is specifically designed for Linux -based server and developer environment, as a destructive payload – a bash script name done.sh.shA ‘DD’ command runs for the file-wiping activity.
In addition, the payload is verified that it moves in a linux environment (Runtime.goos == “Linux”) Before trying to execute.
An analysis of the supply-chain security company socket shows that the command overwrite with zero with every bite of the data, causing irreversible data loss and system failure.
The target is primary storage volume, /Dev/SDAIt holds important system data, user files, databases and configurations.
“By populating the entire disk with zero, the script file system structure, operating system and all user data completely destroys, provides the system unbootable and unattainable” – – – – – – – – – – – – – – Socket
Researchers discovered the attack in April and identified three Go modules on GITHUB, which has since been removed from the stage:
- github (.) com/truthfulpharm/prototransform
- github (.) com/blancloggia/go-mcp
- github (.) com/steelpoor/tlsproxy
All three modules have an obfacted code that decodes in the command that uses ‘WGET’ to download malicious data-wiping scripts (/bin/bin or/bin/SH).
According to socket researchers, the payload is executed immediately after download, “almost no time for reaction or recovery.”
The malicious GO module has applied legal projects to convert the message data to convert message data to convert message data for various forms (prototransform), a GO implementation of model reference protocol (GO-MCP), and TLS Proxy Tools that TCP and HTTP server (TLSPROXY).
Researchers at the socket have warned that the minimum risk for analyzed disastrous modules can also greatly affect the full data loss.
Due to the decentralized nature of the GO ecosystem that lacks proper investigation, the package of various developers may have the same or similar names.
The attackers can take advantage of this to take advantage of this that appears valid and wait for developers to integrate malicious code in their projects.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
