There's been a spike of 2,000% in the number of new malware written in GoLang since 2017. Both nation-backed actors and non-state threat actors groups are actively seen adding Go to their toolset.

Making the headlines

BlackBerry Threat Research and Intelligence Spear Team have found the PYSA ransomware group targeting healthcare agencies and schools in the U.S. using a new RAT they dubbed ChaChi.
  • Written in Go language, the malware is being leveraged by the criminals to deploy ransomware.
  • Reportedly, threat actors are shifting away from C- and C++-based malware due to agility and the ease of cross-platform code compilation offered by GoLang.
  • This provides them with a free hand to target Windows, Mac, and Linux from the same codebase.
  • Moreover, the FBI had recently released a flash warning against the rise in PYSA attacks against both U.K and U.S. schools.

About ChaChi

In the beginning, it had low-level capabilities such as poor obfuscation and no port-forwarding and DNS tunneling capabilities. Now, it can perform as good as other typical RATs; from backdoor creation and stealing data to DNS tunneling, credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, and lateral movement across networks, among others.

Other GoLang malware

As per Intezer, spotting malware written in GoLang was a rare occurrence before 2019.
  • At the end of May, Sophos reported new ransomware, Epsilon Red, written in the Go language. It reportedly targeted a U.S.-based business in the hospitality industry and an India-based IT firm, Nucleus Software.
  • Last year, developers behind JSWorm ransomware changed the malware’s programming language to Golang from C++.
  • Palo Alto found roughly 10,700 unique malware samples written in GoLang with 92% of the samples compiled for Windows OS.

Some of the notorious ransomware strains written in Go include RobbinHood, Nefilim, and EKANS. Russian and Chinese state-sponsored groups have been exclusively launching GoLang-based malware. Zeboracy and WellMess are two such Russian malware whereas Godlike12 and Go Loader are Chinese malware that highlight this trend.

The bottom line

The use of GoLang among malware authors in recent times has been steadily on the rise. Organizations are advised to educate their staff about these rising threats, while keeping a watch on warnings released by security researchers and intelligence agencies.

Cyware Publisher

Publisher

Cyware