![]() In certain circumstances, anti-virus products may ignore files, or be unable to scan them, in the event they are too large. However, this large size has unexpected benefits as well. Additionally, it may be more difficult to include in phishing emails as the attachment’s large size may not be permitted by the email server. This is far larger than malware is typically, making it more difficult to use in Trojaned packages. Of the 10,700 malware samples written in Go, the average size of these samples was 4.65MB. This typically results in a binary of a higher than average size. ![]() Alternatively, Go leaves none of these artifacts, which may be to the benefit of the attacker.Īnother positive to Go (or negative depending how you view it) is the fact that all necessary libraries are statically linked within the compiled binary. Such a tool, while accomplishing the job, leaves a number of traces in files it drops at runtime. However, as Windows historically has not provided Python natively within the environment, in order for these codebases to properly execute in this environment, they must rely on packaging them using a utility such as PyInstaller. The Seaduke malware family is another example of a threat group that took this approach. This was seen previously by the Chafer threat group that wrote one of their payloads in Python. Other alternatives include using a universal scripting language, such as Python, to write their codebase. This allows an attacker to focus on a single codebase that can be used to infect victims on various platforms, versus other programming languages that might require an attacker to have three different code repositories. Certainly one of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms, including Windows, OSX, and Linux. Go has a number of features that might entice an attacker to use this particular programming language. Those that simply provided minimal functionality and provided remote access were labeled as a Backdoor, while fully featured Remote Access Trojans were labeled as such. Additionally, the most prevalent malware groupings included Pentesting, Remote Access Trojans (RATs), and Backdoors.įor a point of clarification, the distinction made between RATs and Backdoors pertains to the malware family’s feature sets. The most prominent malware families included Veil, GoBot2, and HERCULES. Of the samples, 75% were able to have their malware family identified. ![]() Additionally, 92% of the samples identified were compiled for the Windows operating system, indicating that this is the most heavily targeted system by Go malware developers. Based on the samples’ first seen timestamps, we can conclude that Go-compiled malware has been steadily on the rise for a number of months. In total, roughly 10,700 unique malware samples written in Go were obtained. The blog discusses my methodology of data collection and my results. With that in mind, I set out to collect as much malware written in Go as possible, and cluster it by malware family. Additionally, I was curious what malware families would be most prevalent, as there is a notion among many that Go is primarily used by penetration testers and red teamers. While there have been an increased number of blogs in recent years discussing Go malware families, I wanted to know if this programming language was indeed on the rise when it pertained to malware. Go, sometimes referred to as GoLang, was created by Google in 2009 and has gained additional popularity within the malware development community in recent years. In recent months, I have taken a keen interest in malware written in the Go programming language.
0 Comments
Leave a Reply. |