DecryptedTech

Friday19 August 2022

Golang Becoming a Primary Language in the Attacker’s Tool Kit


Reading time is around minutes.

The Go Programing Language (Go or Golang) was developed back in 2007 by a few engineers who were working at Google at the time. Go was launched in 2009 as an open-source programing language and it is primarily used in Google’s own production systems. It has been described as Python meets C and has syntax similarities with C and procedural similarities with Python (dynamic-typing etc.). So, you end up with a language that has quickness, security, and structure of a compiled programing language along with the development speed and simplicity of a dynamic language.

Because of this great combination it has become very popular with threat actors. Beginning in 2019 the threat landscape saw several RATs (Remote Access Trojans) written in Golang. This preference also spilled over into cryptominers, ransomware, backdoors, botnets, and other malware. It has been identified in Nation-State backed attacks as well as ones from criminal groups and individual attackers.
The increase in malware written in Go was around 2000% in 2020 and it has been going up since.

The sophistication of some of the tools and malware that have been identified are impressive. In one recent attack on the National Chinese Games a Golang written tool was discovered that allowed for one-click exploitation of an environment it was deployed in. The flexible nature of Golang cannot be understated here. Because it is relatively simple to build tools and malware for multiple platforms and CPU architectures it makes it ideal for this type of work.

Threat actors now have a great coding resource to use in targeting IoT devices as well as your common endpoint processors. As we see more and more attacks at the hardware level and aimed at cloud resources, we are likely to see an increase in the use of Go for the tools and malware leveraged in these attacks. The simple and efficient language created by the Developers at Google in 2007 has had an unexpected consequence in making things easier for threat groups as well.

Now this does not really change defensive responses all that much as these binaries are still detectable by anti-malware solutions (especially math based ones), but it does indicated that the development time for new and/or updated malware strains and families may be significantly reduced as it becomes easier to develop them through Golang. This, in turn, means that while the tools used to defend and respond will not change much, the time to remediation needs to be much shorter to compensate for the reduced development time.

 

Last modified on Monday, 07 February 2022 10:47

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.