Full Report
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub. [...]
Analysis Summary
# Tool/Technique: Linux Wiper Malware Distributed via Malicious Go Modules
## Overview
This describes Linux wiper malware discovered hidden within malicious Go modules published on GitHub. The malware's primary purpose is destructive data erasure on Linux systems, rendering them unbootable and unrecoverable.
## Technical Details
- Type: Malware (Wiper)
- Platform: Linux
- Capabilities: Overwrites the primary storage volume (`/dev/sda`) with zeros, destroying file system structures, the operating system, and all user data.
- First Seen: Discovered in April (year not specified in snippet, likely 2024 based on context of recent research).
## MITRE ATT&CK Mapping
*Note: Specific ATT&CK mapping for the wiper payload itself is inferred based on its destructive nature.*
- TA0003 - Persistence (Potential, if module installation allows follow-up)
- T1587 - Develop Capabilities (Attacker creating and uploading malicious modules)
- TA0004 - Privilege Escalation (If needed to access drive)
- TA0010 - Impact (Primary Tactic)
- T1485 - Data Destruction
- T1490 - Inhibit System Recovery
## Functionality
### Core Capabilities
- **Platform Verification:** Checks if the operating system is Linux (`runtime.GOOS == "linux"`).
- **Wiping Mechanism:** Overwrites every byte of data on the primary storage volume (`/dev/sda`) with zeros.
- **Immediate Execution:** The downloaded payload is executed immediately via `/bin/bash` or `/bin/sh`, limiting response time.
### Advanced Features
- **Supply Chain Attack Vector:** Distributed by disguising malicious code within legitimate-looking Go modules on GitHub (e.g., impersonating `prototransform`, `go-mcp`, `tlsproxy`).
- **Obfuscation:** The Go modules contain obfuscated code that decodes into commands to download the destructive script using `wget`.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: Malicious script downloaded to `/bin/bash` or `/bin/sh`.
- Registry Keys: [Not applicable for Linux wiper focused on disk structure]
- Network Indicators: Download initiated via `wget` commands embedded in the malicious Go modules.
- Behavioral Indicators:
- Execution of shell commands (`/bin/bash` or `/bin/sh`) triggered by Go program execution.
- Direct manipulation and zeroing out of the primary disk device (`/dev/sda`).
## Associated Threat Actors
- [Not explicitly named, attributed to unknown actors leveraging Go supply chain vulnerabilities based on Socket research.]
## Detection Methods
- **Signature-based detection:** Signatures targeting the specific malicious Go dependencies:
- `github[.]com/truthfulpharm/prototransform`
- `github[.]com/blankloggia/go-mcp`
- `github[.]com/steelpoor/tlsproxy`
- **Behavioral detection:** Detecting attempts by Go binaries to execute `wget` followed by direct low-level disk access or system calls related to zeroing out `/dev/sda`.
- **YARA rules:** [Not provided in the source text]
## Mitigation Strategies
- **Dependency Scanning:** Implement thorough vetting and scanning of third-party Go modules before integration due to the lack of strict checks in the Go ecosystem.
- **Least Privilege:** Ensure applications do not run with privileges necessary to access and overwrite whole disk devices.
- **Backup and Recovery:** Maintain robust, offline, and tested backups, as the attack leads to unrecoverable data loss.
- **Source Trust:** Verify the authenticity and reputation of new or unfamiliar open-source packages, especially those with common or similar names.
## Related Tools/Techniques
- Supply Chain Attacks targeting software repositories (similar to dependency confusion or malicious package publishing).
- Data Destruction/Wiper Malware targeting Linux environments.