Hackers turn to Golang to create new malware

News by Rene Millman

Hackers are writing more malware in the Golang (Go) programming language in a bid to avoid detection and steal data from victims.

Hackers are writing more malware in the Golang (Go) programming language in a bid to avoid detection and steal data from victims.

According to a blog post by security researcher at Malwarebytes, a stealer piece of malware, it labelled Trojan.CryptoStealer.Go, is written in Go and searches in several folders on an affected machine for cryptocurrency wallets. Once the search is complete the stealer zips it all into one package and uploads the stolen data to a C&C server. Some of these Trojans also search browser cookies for financial transactions data.

Further analysis of the malware found that it makes WindowsAPI calls and searches for user data in a number of folders on a victim’s system.

"Those paths point to data stored from browsers. One interesting fact is that one of the paths points to the Yandex browser, which is popular mainly in Russia," said researchers.

It also copies any files on the desktop to a folder created in %APPDATA%.

"We can see that the browser’s cookie database is queried in search data related to online transactions: credit card numbers, expiration dates, as well as personal data such as names and email addresses," researchers said.

Researchers added that this malware is in the early stages of development— "its author may have just started learning Go and is experimenting. We will be keeping eye on its development."

Paul Ducklin, senior technologist at Sophos, told SC Media UK that Go malware is rare enough to attract special attention, as though Go itself is so new that it's amazing that malware authors have taken to using it.  

"But Go is already nearly 10 years old and has attracted a strong and loyal following among legitimate programmers – if you already know C, Go is easy to learn, convenient to use, and less prone to the kind of programming errors that crop up often in C or C++ code. What's good for the goose is sadly good for the gander, so it would be much more surprising if we didn't see malware written in Go," he said.

"The good news is that you can use the same sort of techniques to analyse, detect and prevent malware written in Go as you do for most other compiled languages – and over the years, malware creators have used just about every programming language that you care to name, from assembler and C, through Pascal, Delphi and Basic, all the way to Java and Kotlin."

Naaman Hart, managed services security engineer at Digital Guardian, told SC that the advantages for hackers using this language is obscurity.

"It’s easier to hide in plain sight with a language that is far less understood. Bear in mind though that the underlying functions and calls remain roughly the same so detection mechanisms that look at the end result will still trigger," he said.

"It makes it harder because a new language has to be learned and they all have their own nuances. However, if the general number of threats written in Go increases dramatically then so will the specialists that are capable of writing countermeasures."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews