A new ransomware strain that uses Golang testifies to the increasing adoption of the programming language by threat actors.
Security firm CrowdStrike has analyzed a sample of a ransomware variant that borrows features from the HelloKitty (DeathRansom) and FiveHands.
These strains are believed to have been active since 2019. They are responsible for various attacks against various companies and organizations, among them Cyberpunk 2077 video game by a Polish developer CD Projekt Red.
The code found in this sample shows similarities with HelloKitty and FiveHands, with some components written in C++, researchers noted in a blog post published today.
Like FiveHands, the new malware uses an EXE packer to extract its payload, which it extracts into memory. It also needs a key value to decrypt its data and uses the command-line switch “-key” to evade detection.
“This method of using a memory-only dropper prevents security solutions from detecting the final payload without the unique key used to execute the packer,” CrowdStrike says.
Unlike FiveHands and HelloKitty, this new ransomware strain uses a Go packer that encrypts its C++ payload.
The rise of malware using Go has been quite significant since 2019 due to its ease of use and its difficulty in reverse-engineering. CrowdStrike’s sample uses Golang v1.16 that was released in February 2021.
“Although Golang-written malware and packers are not new, compiling it with the latest Golang makes it challenging to debug for malware researchers,” CrowdStrike notes. “That’s because all necessary libraries are statically linked and included in the compiler binary, and the function name recovery is difficult.”
Aside from Go, this sample includes typical functions of ransomware: it encrypts files and disks and posts a note about payment in return for a decryption key. The ransom note demands that victims send money to a Tor address. The note also claims the malware has stolen for its operators over 1TB worth of data, which makes researchers think the threat actor may be attempting ‘double extortion.’
This month, BlackBerry released a report on another malware written in Go, the ChaChavirus Trojan, which was used to attack US government institutions and schools.