New Ransomware Highlights Widespread Adoption of Golang Language By Cyberattackers
A new malicious software (ransomware) variant that leverages Golang has been released. It indicates that cybercriminals leverage GoLang (programming language) to execute their malicious actions.
CrowdStrike obtained a specimen of the new ransomware strain, which has not been named yet. This malicious software has the same features as FiveHands and DeathRansom/HelloKitty. These malicious software variants that are believed to have been in existence since 2019 have been associated with various attacks against enterprise organizations, CD Projekt Red, and the developer of Cyberpunk 2077.
The identified specimen indicates the same functions to FiveHands and HelloKitty and has its elements written in C++ language. Further, it also matches the two variants in how the malware executes file encryption and secures command-line disputes. Similar to FiveHands, the new malicious software utilizes a practicable packer and leverages a value key to decodes its malware payload to create a memory.
It also uses the command line reversal “-key.” According to experts from CrowdStrike: “This method of using a memory-only dropper prevents security solutions from detecting the final payload without the unique key used to execute the packer.” Still, unlike FiveHands and HelloKitty, the new ransomware variant relies on a Go-based packer that encrypts its C++ malicious software payload.
Intezer, a network security organization, notes that not many malicious software used Go before 2019. However, today the programming language is fast becoming a favored option because it makes code compilation for multiple platforms easy and fast. Further, reverse-engineering under this programming language is nearly impossible.
Specimen rates have risen by nearly 2,000% in recent years. Crowdstrike’s specimen utilizes the most recent Golang v.1.16 version, launched in February 2021. CrowdStrike experts say:
“Although Golang-written malware and packers are not new, compiling it with the latest Golang makes it challenging to debug for malware researchers. That’s because all necessary libraries are statically linked and included in the compiler binary, and the function name recovery is difficult.”
Apart from using Go, the specimen comprises distinctive malicious software functions, including the power to encrypt disks and files before demanding paymentto releasef a decoding key. The payment demand note leads victims towards a Tor address to launch a direct chat with the malicious software’s dealers while claiming to have seized more than 1TB of their personal data.
Often, such threats could suggest that the developers could be trying to execute double extortion. Should the victim fail to pay, they are scared of leaking their personal information. Recently, BlackBerry’s threat analysis department published a report on a new malicious software dubbed Chachi.
In the report, the team said that the new ransomware was written in the GoLang programming language. Chachi was first identified during the beginning of 2020, and the initial strain of the RAT (Remote Access Trojan) and has been utilized in intruding French government institutions, with the most recent attack being on the US education department. BlackBerry experts noted that: “As this is such a new phenomenon, many-core tools to the analysis process are still catching up. This can make Go a more challenging language to analyze.”
Unlike the first strain of ChaChi, which had poor capabilities and execution, the new malicious software can now execute classic RAT activities like data exfiltration and backdoor generation, and dumping of credentials through the LSASS (windows local security authority subsystem service), DNS tunneling, network inventory, service generation, lateral operation across networks, and SOCKS proxy performance. This malicious software also utilizes Golang to steal data.
Chachi derived its name from Chashell and Chisel, the two off-the-peg devices the malicious software leverages to execute attacks. The devices are customized for attack purposes. Chashell is a counter shell DNS contributor, while Chisel is a port-forwarding channel.
BlackBerry experts are confident that the malicious software is from PYSA/Mespinoza. This criminal group has been in existence since 2018, which is popularly known for lancing malicious software drives and utilizing extensions.