Severity
High
Analysis Summary
A new malicious campaign targeting the Go ecosystem has been discovered, involving the use of typosquatted modules designed to deploy loader malware on Linux and macOS systems. The attack involves at least seven counterfeit Go packages impersonating widely used libraries, including one ("github[.]com/shallowmulti/hypert") that appears to be aimed at financial-sector developers.
According to the Researcher, these packages employ repeated malicious filenames and consistent obfuscation techniques, suggesting the involvement of a well-coordinated threat actor capable of quickly pivoting to avoid detection. While all of these packages remain available on the official repository, their corresponding GitHub repositories, except for "github[.]com/ornatedoctrin/layout," have been taken down.
The list of identified malicious packages includes variations of "hypert" and "layout," specifically: shallowmulti/hypert, shadowybulk/hypert, belatedplanet/hypert, thankfulmai/hypert, vainreboot/layout, ornatedoctrin/layout, and utilizedsun/layout. Analysis by Researcher revealed that these counterfeit modules contain remote code execution capabilities, achieved by running an obfuscated shell command that retrieves a script from "alturastreet[.]icu" after a delay of one hour. This delay tactic is likely an evasion technique to bypass automated security scans. The ultimate objective of the attack is to install and execute a secondary malware loader that can potentially steal sensitive data or credentials.
A critical component of this attack is the "f0eee999" executable, which functions as a secondary malware loader and backdoor. It allows the threat actor to establish persistence on infected machines, operate silently in the background, and wait for further commands from a command-and-control (C2) server. The backdoor ensures that the attacker maintains remote access to compromised systems, making it a severe security threat. This discovery follows a prior supply chain attack disclosed by Researcher, which targeted the Go ecosystem with another malicious package designed to grant attackers remote access.
The repeated use of identical filenames, obfuscation techniques involving array-based string manipulation, and delayed execution strategies indicate a highly organized adversary intent on long-term persistence. Furthermore, the discovery of multiple malicious packages, along with fallback domains, points to an infrastructure designed for resilience, allowing the threat actor to quickly adapt when a domain or repository is blacklisted. This campaign underscores the growing threats to software supply chains, highlighting the need for heightened vigilance and proactive security measures within the developer community.
Impact
- Sensitive Data Theft
- Security Bypass
- Code Execution
- Privilege Escalation
Indicators of Compromise
IP
- 185.100.157.127
MD5
b20b2688378e5abeebfad027f3d5088f
2cdb1f58b06fcfe8f6a96722b386d955
SHA-256
b0d20a3dcb937da1ddb01684f6040bdbb920ac19446364e949ee8ba5b50a29e4
f70bc9a8e39eb36547717197efe88173c23c1b9c206d253f0e24a8aaadf0f915
SHA1
5c43bbe30b69e4349df1f54f35f7c96e71633236
93fd5bfb701aaeff324cd70091dad54b57f38767
URL
- http://185.100.157[.]127/storage/de373d0df/f0eee999
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Uninstall any of the identified malicious packages (hypert and layout variations) from your systems and projects.
- Verify your dependencies using go list -m all to detect any unauthorized or suspicious packages.
- Conduct a thorough review of your Go modules and dependencies for any signs of unauthorized changes or suspicious activity.
- Use tools like go mod verify and go mod tidy to check for unexpected modifications in your package dependencies.
- Inspect network logs for any connections to alturastreet[.]icu or other unknown remote servers.
- Block the domain alturastreet[.]icu and any associated IPs at the firewall and endpoint security levels.
- Search for the presence of the f0eee999 executable on infected systems.
- Look for unexpected scheduled tasks, startup entries, or other persistence mechanisms that might indicate a backdoor.
- Keep Go development environments, dependency management tools, and security software up to date.
- Apply the latest security patches to prevent exploitation of vulnerabilities.
- Use package integrity verification tools like go.sum to detect tampered dependencies.
- Prefer official and well-maintained repositories, and cross-check package authenticity before installation.
- Educate developers about typosquatting risks and the importance of verifying package sources before use.
- Implement strict policies to prevent the use of unverified third-party libraries in production environments.
- If an infection is detected, isolate affected systems and perform forensic analysis to assess the impact.
- Report any findings to security teams and relevant authorities to aid in further investigations.
- Restrict permissions to prevent unauthorized modifications to code repositories and dependency files.
- Enforce multi-factor authentication (MFA) for developer accounts and repository access.
- Set up automated monitoring for suspicious activity in code repositories and build pipelines.
- Subscribe to cybersecurity threat intelligence feeds to stay updated on emerging threats in the software supply chain.