Go Malware Is Now Common, Having Been Adopted By Both APTs And E-crime Groups

The number of malware strains coded in the Go programming language has seen a sharp increase of around 2,000% over the last few years, since 2017, cybersecurity firm Intezer said in a report published this week.

The company's findings highlight and confirm a general trend in the malware ecosystem, where malware authors have slowly moved away from C and C++ to Go, a programming language developed and launched by Google in 2007.

Intezer: Go malware, now a daily occurrence

While the first Go-based malware was detected in 2012, it took, however, a few years for Golang to catch on with the malware scene.

"Before 2019, spotting malware written in Go was more a rare occurrence and during 2019 it became a daily occurrence," Intezer said in its report.

But today, Golang (as it's often also referred to instead of Go) has broken through and has been widely adopted.

It is used by nation-state hacking groups (also known as APTs), cybercrime operators, and even security teams alike, who often used it to create penetration-testing toolkits.

There are three main reasons why Golang has seen this sudden sharp rise in popularity. The first is that Go supports an easy process for cross-platform compilation. This allows malware developers to write code once and compile binaries from the same codebase for multiple platforms, allowing them to target Windows, Mac, and Linux from the same codebase, a versatility that they don't usually have with many other programming languages.

The second reason is that Go-based binaries are still hard to analyze and reverse engineer by security researchers, which has kept detection rates for Go-based malware very low.

The third reason is related to Go's support for working with network packets and requests. Intezer explains:

"Go has a very well-written networking stack that is easy to to work with. Go has become one of the programming languages for the cloud with many cloud-native applications written in it. For example, Docker, Kubernetes, InfluxDB, Traefik, Terraform, CockroachDB, Prometheus and Consul are all written in Go. This makes sense given that one of the reasons behind the creation of Go was to invent a better language that could be used to replace the internal C++ network services used by Google."

Since malware strains usually tamper, assemble, or send/receive network packets all the time, Go provides malware devs with all the tools they need in one place, and it's easy to see why many malware coders are abandoning C and C++ for it. These three reasons are why we saw more Golang malware in 2020 than ever before.

"Many of these malware [families] are botnets targeting Linux and IoT devices to either install crypto miners or enroll the infected machine into DDoS botnets. Also, ransomware has been written in Go and appears to become more common," Intezer said.

Examples of some of the biggest and most prevalent Go-based threats seen in 2020 include the likes of (per category):

Nation-state APT malware:

• Zebrocy - Russian state-sponsored group APT28 created a Go-based version of their Zebrocy malware last year.
• WellMess - Russian state-sponsored group APT29 deployed new upgraded versions of their Go-based WellMess malware last year.
• Godlike12 - A Chinese state-sponsored group deployed Go-based backdoors for attacks on the Tibetan community last year.
• Go Loader - The China-linked Mustang Panda APT deployed a new Go-based loader last year for their attacks.

E-crime malware:

• GOSH - The infamous Carbanak group deployed a new RAT named GOSH written in Go last August.
• Glupteba - New versions of the Glupteba loader were seen in 2020, more advanced than ever.
• A new RAT targeting Linux servers running Oracle WebLogic was seen by Bitdefender.
• CryptoStealer.Go - New and improved versions of the CryptoStealer.Go malware were seen in 2020. This malware targets cryptocurrency wallets and browser passwords.
• Also, during 2020, a clipboard stealer written in Go was found.

New ransomware strains written in Go:

• RobbinHood
• Nefilim
• EKANS

Naturally, in light of its recent discoveries, Intezer, along with others, expect Golang usage to continue to rise in the coming years and join C, C++, and Python, as a preferred programming language for coding malware going forward.