Intezer Analyze now proudly supports genetic analysis for files created with the Golang programming language. Community and enterprise users can detect and classify malware written in Go, within seconds!
Why is this Important?
Golang, also known as Go, is Google’s open-source programming language which has become popular among developers in the Windows and Linux platforms. While well-known open source projects such as Kubernetes and Docker are written in Go, this programming language is being exploited by adversaries to develop malware.
Golang malware may still be in its infancy, but according to Palo Alto Networks we can expect Go-compiled malware to constitute a much larger market share of developed malware in years to come.
Even further, with the rapid growth of cloud infrastructure in recent years—and Linux becoming the predominant choice for cloud computing—Go malware could become a greater threat to enterprise cloud security.
Below are the Intezer Analyze features which are currently available for Golang:
-
- Code reuse
- View related samples
- View the assembly code
- Create vaccinations (code-based YARA rules) for proactive threat hunting (available in our enterprise edition)
- IDA Pro plugin (available in our enterprise edition)
HTRAN Case Study
One of the advantages to genetically analyzing files written in Golang is being able to identify code connections between Windows and Linux executables. As evidenced by the recent discovery of ACBackdoor, cross-platform malware does exist between the two platforms.
HTRAN is a hacking tool used by adversaries to conceal their location when interacting with victim networks. Below Intezer Analyze has detected Linux and Windows variants of HTRAN which share code with each other:
- Genetic Analysis of Linux (ELF) Variant
This HTRAN Linux instance currently has 0 detections in VirusTotal. When you click on apt_golang_htran under the code reuse section you can see related samples, which includes the Windows variant (with only one detection in VirusTotal).
- Genetic Analysis of Windows (PE) Variant
To date, this HTRAN Windows instance has only one detection in VirusTotal.
Intezer Analyze Community
Intezer proudly supports Genetic Malware Analysis for Windows and Linux executables, in addition to Android APK files. If you’re not an Intezer Analyze community user we encourage you to sign up for free at analyze.intezer.com. Community users can upload up to 10 files and scan one endpoint per day in order to:
-
- Detect code similarities to known malware, legitimate applications, libraries, and more
- Detect advanced in-memory threats such as malicious code injections, packed, and fileless malware
- Obtain insights about malware families and threat actors
- Receive monthly updates about new features, research, webinars, and more
Additional Resources:
More about Golang Malware:
-
- The Gopher in the Room: Analysis of Golang Malware in the Wild (Palo Alto Networks)
- Golang Malware Targets Linux-based Servers (Infosecurity Magazine via F5 Labs)
