lecture: Reversing Golang Malware


The year 2019 has seen a meteoric rise in ransomware attacks, large and small. At the same time, some malware authors are turning to the Go programming language to develop new malware implants, delivery systems, and ransomware. This talk is an examination of the major malware families which have appeared over the past year and are written in Go. Highlighted are JCry and Robbinhood ransomware, GoBrut Linux bruteforcer, and the Go variant of Zebrocy. Finally, attendees will learn some “on the cheap” reverse engineering techniques using free tools including Ghidra and x64dbg along with how to use a new tool called ghidra2x64dbg to integrate symbols and labels from Ghidra into the x64dbg debugger.

The Go programming language will turn ten years old on November 10th. We have been hearing about the utility of writing cross-platform pentesting implants and tools for a few years now, but over the past two years high profile malware campaigns have begun delivering payloads and using tools written in the Go language.

The Robbinhood ransomware campaign that struck the City of Baltimore, Maryland and the City of Greenville, North Carolina is the highest profile attack incorporating Golang malware. This attack cost Baltimore approximately $18 million, but neither Baltimore nor Greenville paid the ransom (suck it ransomware authors!). This ransomware utilizes Go channels for multi-threaded encryption to handle large numbers of files concurrently. This poses an interesting problem for reverse engineering and observing the encryption activity. A process for handling threading like this using x64dbg will be covered. JCry is another strain of ransomware written in Go. In March of 2019, JCry appeared as a component of the #OpJerusalem campaign targeting popular Israeli websites. This malware is actually a pair of Go executables, one for encryption and the other for decryption. How to integrate labels from Ghidra into x64dbg using a new tool called ghidra2x64dbg will be demonstrated in the context of this pair of ransomware samples.

Demonstrating the cross-platform nature of Golang, we will examine a brute-forcing tool called GoBrut. This is an ELF binary compiled in Go on Linux. This tool targets a variety of CMS, databases, and administration tools. It has been used to grow a large botnet of hosts numbering in the thousands worldwide.

Finally, not to be left out, Fancy Bear dips its paw into Golang. In October 2018, a new variant of the Zebrocy malware family appeared in the form of a downloader written in Go. This family is commonly found targeting Central Asian governments and associated organizations. In addition to these major attacks, we will review some of the overall statistics of Golang binaries detected as malicious and found in the open source. Attendees will take away a few techniques for reverse engineering Golang malware, with a focus on the newly released disassembler, Ghidra, and the rising star debugger, x64dbg.


Day: 2019-09-15
Start time: 13:15
Duration: 01:00
Room: Tesla


Concurrent events