Malicious Go Crypto Module Deploys Rekoobe Backdoor in Supply Chain Attack

In the modern software development lifecycle, trust is a commodity that attackers exploit with increasing precision. Security researchers have recently uncovered a sophisticated supply chain attack targeting the Go (Golang) ecosystem, involving a malicious module designed to exfiltrate credentials and establish persistent access on Linux systems.

This campaign centers on a deceptive module that impersonates a widely-used cryptographic library. By inserting this compromised dependency into their projects, developers inadvertently introduce a pathway for attackers to deploy the Rekoobe backdoor, leading to potential server compromises and data breaches.

The Trap: Typosquatting and Dependency Confusion

The attack vector relies on a classic but effective technique: typosquatting. The malicious package, github.com/xinfeisoft/crypto, is designed to appear almost identical to the legitimate golang.org/x/crypto. Developers who mistakenly import the wrong address—or who are tricked by manipulated documentation—integrate malicious code directly into their build pipelines.

Once imported, the module does not function as a cryptographic utility. Instead, it acts as a dropper and spyware agent.

Technical Analysis: Tactics, Techniques, and Procedures (TTPs)

The functionality of this malicious module goes beyond simple data theft. It exhibits complex behavior characteristic of advanced persistent threats (APTs):

• Terminal Hijacking: The module includes code to hook into the terminal's input stream. It specifically targets password prompts, capturing keystrokes entered by users during authentication sequences (such as sudo or SSH logins) and exfiltrating them to a command-and-control (C2) server.
• Persistence Mechanism: To ensure survival after system reboots, the malware establishes SSH persistence. This often involves generating new SSH keys or modifying authorized_keys files, granting the attacker permanent remote access to the compromised host.
• Rekoobe Backdoor Deployment: The ultimate payload is the deployment of Rekoobe, a Linux backdoor. Rekoobe is often associated with trojanized versions of legitimate server software (like Tiny Shell) and provides attackers with a remote shell, file transfer capabilities, and the ability to execute arbitrary commands.

Detection and Threat Hunting

Identifying this threat requires a two-pronged approach: scanning source code for the malicious dependency and hunting for the backdoor's behavior on active endpoints.

1. Scanning Source Code (Bash)

DevOps teams and security personnel should scan their codebases immediately for the malicious import path. The following bash command recursively searches for the malicious string in all Go module files (go.mod and go.sum).

grep -r "github.com/xinfeisoft/crypto" .


If this command returns any results, the environment is compromised and the code must be removed immediately.

2. Hunting for Rekoobe and SSH Persistence (KQL)

For SOC analysts utilizing Microsoft Sentinel or Defender for Identity, the following KQL query can help detect suspicious process activity associated with the Rekoobe backdoor and unauthorized SSH modifications. This query looks for unusual process chains involving SSH utilities spawned by Go build processes or unexpected modifications to SSH configuration files.

DeviceProcessEvents
| where Timestamp > ago(7d)
// Look for SSH related activity
| where FileName in~ ("ssh", "sshd", "sh", "bash") 
// Check for parent processes that might be build tools or the backdoor itself
| where InitiatingProcessFileName in~ ("go", "bash", "sh", "unknown") 
// Hunt for specific command line arguments used by Rekoobe for C2 communication
or ProcessCommandLine contains "-p" and ProcessCommandLine contains "/tmp/"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| sort by Timestamp desc

3. Investigating SSH Keys (Python)

The following Python snippet can be used by incident responders to audit the ~/.ssh/authorized_keys file on a Linux endpoint for keys that were added recently or look suspicious (e.g., keys with no comment or unusually long formats).

import os
import time

SSH_PATH = os.path.expanduser("~/.ssh/authorized_keys")

if os.path.exists(SSH_PATH):
    print(f"Auditing {SSH_PATH}...")
    with open(SSH_PATH, 'r') as f:
        for line in f:
            line = line.strip()
            if line and not line.startswith("#"):
                parts = line.split()
                if len(parts) >= 2:
                    key_type = parts[0]
                    # Check for generic or suspicious comments
                    comment = parts[2] if len(parts) > 2 else "No Comment"
                    print(f"Found Key: {key_type} | Comment: {comment}")
else:
    print("No authorized_keys file found.")

Mitigation Strategies

To defend against this and similar supply chain attacks, organizations should implement the following controls:

1. Verify Dependency Integrity: Always verify the import paths in go.mod files. Ensure that dependencies point to the official, canonical repositories (e.g., golang.org/x/crypto) and not impersonating third-party mirrors.
2. Software Composition Analysis (SCA): Integrate SCA tools into the CI/CD pipeline. These tools can identify known malicious packages, typosquatting attempts, and vulnerabilities in real-time during the build process.
3. Network Segmentation: Restrict the outbound network access of build servers and development environments. C2 traffic like that used by Rekoobe can be blocked if strict egress filtering is enforced.
4. SSH Hardening: Disable password-based authentication for SSH and enforce key-based authentication only. Additionally, regularly audit authorized_keys files to remove orphaned or unknown keys.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub