VERY IMPORTANT

The initial infection vector leveraged by GoScanSSH was likely an SSH credential brute-force attack against a publicly accessible SSH server that allowed password-based SSH authentication. In this particular series of attacks, the attacker was leveraging a word list containing more than 7,000 username/password combinations. Once the attacker has discovered a valid credential set that allows successful SSH authentication, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server. The malware is then executed, thus infecting the system.