Golang is becoming the programming language of choice for many malware developers. According to cybersecurity firm Intezer, there’s been an almost 2000 percent increase in the number of Go-based malware strains found in the wild since 2017.
The number of attacks using this type of malware is expected to increase in the next couple of years. What’s most alarming is that we’re seeing many threat actors who are targeting multiple operating systems with strains from a single Go codebase.
Here’s everything else you need to know about this emerging threat.
What Is Golang?
Go (a.k.a. Golang) is an open-source programming language that is still relatively new. It was developed by Robert Griesemer, Rob Pike, and Ken Thompson at Google in 2007, although it was only officially introduced to the public in 2009.
It was developed as an alternative to C++ and Java. The goal was to create something that is straightforward to work with and easy to read for developers.
Why Are Cybercriminals Using Golang?
There are thousands of Golang-based malware in the wild today. Both state-sponsored and non-state-sponsored hacking gangs have been using it to produce a host of strains including Remote Access Trojans (RATs), stealers, coin miners, and botnets among many others.
What makes this type of malware extra potent is the way it can target Windows, macOS, and Linux using the same codebase. This means that a malware developer can write code once and then use this single code base to compile binaries for multiple platforms. Using static linking, a code written by a developer for Linux can run on Mac or Windows.
We’ve seen go-based crypto miners that target both Windows and Linux machines as well as multi-platform cryptocurrency-stealers with trojan apps that run on macOS, Windows, and Linux devices.
Aside from this versatility, strains written in Go have proven to be very stealthy too.
Many have infiltrated systems without detection mainly because malware written in Go is large. Also because of static linking, binaries in Go are relatively larger compared to those by other languages. Many antivirus software services are not equipped to scan files this bulky.
Moreover, it is harder for most antiviruses to find suspicious code in Go binary since they look much different under a debugger compared to others written in more mainstream languages.
It doesn’t help that features of this programming language make Go binaries still harder to reverse engineer and analyze.
While many reverse engineering tools are well equipped at analyzing binaries compiled from C or C++, Go-based binaries still present new challenges for reverse engineers. This has kept detection rates of Golang malware notably low.
Go-Based Malware Strains and Attack Vectors
Before 2019, spotting malware written in Go may have been rare but in recent years there’s been a steady increase in nasty go-based malware strains.
A malware researcher has found around 10,700 unique malware strains written in Go in the wild. The most prevalent of these are RATs and backdoors but in recent months we’ve also seen a great deal of insidious ransomware written in Go.
ElectroRAT
One such info-stealer written in Golang is the extremely intrusive ElectroRAT. While there are many of these nasty info-stealers around, what makes this one more insidious is how it targets multiple operating systems.
The ElectroRAT campaign, discovered in December 2020, features cross-platform Go-based malware that has an arsenal of vicious capabilities shared by its Linux, macOS, and Windows variant.
This malware is capable of keylogging, taking screenshots, uploading files from disks, downloading files, and executing commands aside from its ultimate goal of draining cryptocurrency wallets.
Related: ElectroRAT Malware Targeting Cryptocurrency Wallets
The extensive campaign that’s believed to have remained undetected for a year involved even more elaborate tactics.
The latter included creating a fake website and fake social media accounts, creating three separate trojan-infected apps related to cryptocurrency (each targeting Windows, Linux, and macOS), promoting the tainted apps on crypto and blockchain forums like Bitcoin Talk, and luring victims to the trojanized app’s webpages.
Once a user downloads and then runs the app, a GUI opens while the malware infiltrates in the background.
RobbinHood
This sinister ransomware made headlines in 2019 after crippling the city of Baltimore’s computer systems.
The cybercriminals behind the Robbinhood strain demanded $76,000 to decrypt the files. The government’s systems were rendered offline and out of service for almost a month and the city reportedly spent an initial $4.6 million to recover the data in the affected computers.
Damages due to loss of revenue may have cost the city more—up to $18 million according to other sources.
Originally coded in the Go programming language, the Robbinhood ransomware encrypted the victim’s data and then appended the file names of compromised files with the .Robbinhood extension. It then placed an executable file and text file on the desktop. The text file was the ransom note with the attackers’ demands.
Zebrocy
In 2020, malware operator Sofacy developed a Zebrocy variant that’s written in Go.
The strain masqueraded as a Microsoft Word document and was spread using COVID-19 phishing lures. It worked as a downloader that collected data from the infected host’s system and then uploaded this data onto the command-and-control server.
The Zebrocy arsenal, composed of droppers, backdoors, and downloaders, has been in use for many years. But its Go variant was only discovered in 2019.
It was developed by state-backed cybercrime groups and has previously targeted ministries of foreign affairs, embassies, and other government organizations.
More Golang Malware To Come In The Future
Go-based malware is rising in popularity and is continuously becoming the go-to programming language for threat actors. Its ability to target multiple platforms and stay undetected for a long time makes it a serious threat worthy of attention.
That means it's worthwhile highlighting that you need to take basic precautions against malware. Don't click on any suspicious links or download attachments from emails or websites—even if they come from your family and friends (who may already be infected).