The range of malware strains coded in the Go programming language has noticed a sharp boost of close to 2,000% around the past several several years, because 2017, cybersecurity organization Intezer mentioned in a report printed this 7 days.
The firm’s results emphasize and confirm a common trend in the malware ecosystem, where by malware authors have slowly moved absent from C and C++ to Go, a programming language made and introduced by Google in 2007.
Intezer: Go malware, now a daily incidence
When the first Go-dependent malware was detected in 2012, it took, even so, a handful of decades for Golang to capture on with the malware scene.
“In advance of 2019, spotting malware published in Go was far more a scarce incidence and during 2019 it grew to become a day by day event,” Intezer claimed in its report.
But nowadays, Golang (as it can be often also referred to alternatively of Go) has broken by way of and has been widely adopted.
It is applied by nation-point out hacking teams (also recognized as APTs), cybercrime operators, and even protection teams alike, who generally used it to develop penetration-screening toolkits.
There are a few most important motives why Golang has found this sudden sharp increase in popularity. The initial is that Go supports an quick method for cross-system compilation. This permits malware builders to write code at the time and compile binaries from the exact codebase for various platforms, allowing them to concentrate on Windows, Mac, and Linux from the very same codebase, a versatility that they really don’t generally have with many other programming languages.
The 2nd explanation is that Go-based mostly binaries are even now challenging to evaluate and reverse engineer by protection researchers, which has held detection prices for Go-based mostly malware pretty reduced.
The third explanation is relevant to Go’s support for working with network packets and requests. Intezer points out:
“Go has a really perfectly-published networking stack that is uncomplicated to to function with. Go has turn out to be a person of the programming languages for the cloud with many cloud-indigenous purposes created in it. For instance, Docker, Kubernetes, InfluxDB, Traefik, Terraform, CockroachDB, Prometheus and Consul are all composed in Go. This tends to make perception presented that a person of the factors driving the creation of Go was to invent a greater language that could be utilised to change the inside C++ network products and services used by Google.”
Considering that malware strains normally tamper, assemble, or send/receive community packets all the time, Go presents malware devs with all the tools they will need in one position, and it is uncomplicated to see why quite a few malware coders are abandoning C and C++ for it. These 3 explanations are why we observed more Golang malware in 2020 than ever ahead of.
“Quite a few of these malware [families] are botnets focusing on Linux and IoT products to possibly set up crypto miners or enroll the infected equipment into DDoS botnets. Also, ransomware has been composed in Go and seems to turn into a lot more popular,” Intezer stated.
Examples of some of the biggest and most prevalent Go-based mostly threats noticed in 2020 incorporate the likes of (per group):
Country-condition APT malware:
- Zebrocy – Russian state-sponsored team APT28 produced a Go-dependent edition of their Zebrocy malware past year.
- WellMess – Russian point out-sponsored team APT29 deployed new upgraded variations of their Go-based mostly WellMess malware last yr.
- Godlike12 – A Chinese point out-sponsored team deployed Go-dependent backdoors for attacks on the Tibetan community last calendar year.
- Go Loader – The China-linked Mustang Panda APT deployed a new Go-based mostly loader final year for their attacks.
- GOSH – The infamous Carbanak group deployed a new RAT named GOSH composed in Go very last August.
- Glupteba – New variations of the Glupteba loader ended up witnessed in 2020, a lot more highly developed than at any time.
- A new RAT targeting Linux servers operating Oracle WebLogic was observed by Bitdefender.
- CryptoStealer.Go – New and enhanced variations of the CryptoStealer.Go malware were being witnessed in 2020. This malware targets cryptocurrency wallets and browser passwords.
- Also, for the duration of 2020, a clipboard stealer prepared in Go was located.
New ransomware strains penned in Go:
In a natural way, in gentle of its recent discoveries, Intezer, along with other folks, be expecting Golang utilization to keep on to increase in the coming a long time and be part of C, C++, and Python, as a favored programming language for coding malware likely forward.