Intezer experts report that since 2017 the number of malware written in the Go language has increased by 2,000%. Nowadays, such malware has already become commonplace.
Golang is often used by “government” hackers, lower-level attackers, and information security specialists (usually for creating pentester tools).
Earlier, experts have noted that in recent years, attackers have gradually moved away from using C and C ++, increasingly preferring Go, a programming language developed and launched by Google in 2007. Although the first malware on Go appeared back in 2012, it took a while for the language to gain such popularity.
In its report, Intezer explains that there are three main reasons for this popularity. The first is the ease of cross-platform compilation, which allows malware developers to write code once and then immediately compile binaries for different platforms, including Windows, Mac and Linux.
The second reason is that Go-based binaries are still very difficult to parse and reverse, which allows hackers to maintain low detection rates for their malware.
The third reason has to do with the way Go implements support for working with network packets and requests:
“Go has a well-written networking stack that is easy to work with. Go has become one of the cloud-based programming languages in which many native cloud applications are written. For example, Docker, Kubernetes, InfluxDB, Traefik, Terraform, CockroachDB, Prometheus, and Consul are all written in Go. This makes sense, given that one of the reasons Go was created was to invent a better language that could be used to replace Google’s internal C++ networking services”, — the researchers say.
Many of the malware written in Go are botnets targeting IoT devices and Linux, which aim to either install cryptocurrency miners or use infected devices for DDoS attacks. In addition, experts write that more and more ransomware are written in the Go language.
There were many Go threats in 2020, the researchers list only the most common and notable ones:
- Zebrocy — Russian-speaking hack group APT28 has created a version of Zebrocy malware based on Go;
- WellMess — the Russian-language hack group APT29 has deployed updated versions of WellMess malware based on Go;
- Godlike12 — Chinese hackers used Go-based backdoors to attack the Tibetan community;
- Go Loader – China’s Mustang Panda APT has deployed a new Go-based loader.
- GOSH – the famous hack group Carbanak used the new RAT GOSH, written in Go last August;
- Glupteba — new versions of the Glupteba loader have appeared;
- a new RAT targeting Linux servers running Oracle WebLogic was spotted by Bitdefender;
- Go — improved versions of CryptoStealer.Go malware, designed to steal cryptocurrency wallets and browser passwords, have been detected.
Let me remind you that Silver Sparrow malware infected about 30,000 Mac computers.