Intezer - Genetic Malware Analysis for Golang

Genetic Malware Analysis for Golang

Written by Intezer
Join our free communityGet started
Share Article
FacebookTwitterLinkedIn

Intezer Analyze now proudly supports genetic analysis for files created with the Golang programming language. Community and enterprise users can detect and classify malware written in Go, within seconds!

Why is this Important?
Golang, also known as Go, is Google’s open-source programming language which has become popular among developers in the Windows and Linux platforms. While well-known open source projects such as Kubernetes and Docker are written in Go, this programming language is being exploited by adversaries to develop malware.

Golang malware may still be in its infancy, but according to Palo Alto Networks we can expect Go-compiled malware to constitute a much larger market share of developed malware in years to come.

Even further, with the rapid growth of cloud infrastructure in recent years—and Linux becoming the predominant choice for cloud computing—Go malware could become a greater threat to enterprise cloud security.

Below are the Intezer Analyze features which are currently available for Golang:

    • Code reuse
    • View related samples
    • View the assembly code
    • Create vaccinations (code-based YARA rules) for proactive threat hunting (available in our enterprise edition)
    • IDA Pro plugin (available in our enterprise edition)

HTRAN Case Study
One of the advantages to genetically analyzing files written in Golang is being able to identify code connections between Windows and Linux executables. As evidenced by the recent discovery of ACBackdoor, cross-platform malware does exist between the two platforms.

HTRAN is a hacking tool used by adversaries to conceal their location when interacting with victim networks. Below Intezer Analyze has detected Linux and Windows variants of HTRAN which share code with each other:

  • Genetic Analysis of Linux (ELF) Variant
    This HTRAN Linux instance currently has 0 detections in VirusTotal. When you click on apt_golang_htran under the code reuse section you can see related samples, which includes the Windows variant (with only one detection in VirusTotal).

Screen Shot 2019 11 20 at 10.55.59 AM

Screen Shot 2019 11 20 at 10.41.58 AM

Screen Shot 2019 11 19 at 10.47.34 AM

Intezer Analyze Community
Intezer proudly supports Genetic Malware Analysis for Windows and Linux executables, in addition to Android APK files. If you’re not an Intezer Analyze community user we encourage you to sign up for free at analyze.intezer.com. Community users can upload up to 10 files and scan one endpoint per day in order to:

    • Detect code similarities to known malware, legitimate applications, libraries, and more
    • Detect advanced in-memory threats such as malicious code injections, packed, and fileless malware
    • Obtain insights about malware families and threat actors
    • Receive monthly updates about new features, research, webinars, and more

Additional Resources:

More about Golang Malware:

Intezer

Intezer introduces a Genetic Malware Analysis technology, revolutionizing cyber threat detection and response. By revealing the genetic origins of all software code, Intezer equips enterprises with an advanced way to detect modern cyber threats, while providing deep context on how to effectively respond to incidents. Intezer offers solutions for incident response automation, cloud security, threat intelligence, and more.

© Intezer.com 2020 All rights reserved