What does malware written in Go look like? A sample analyzed • The Register
The folks at Deep Instinct say they have studied a Go-written variant of the malware used by the Arid Viper cybercrime network.
Deep Instinct, founded in 2015, claims to use deep learning to detect and block malware. While training a deep learning model focused on identifying malware written in Go, researchers discovered an executable file built using the programming language, submitted it to the Go website. VirusTotal and discovered that only six security vendors had the binary flagged as malicious.
Further investigation revealed two similar binaries written in Go. From these programs, we are told, it became clear that the team was looking at a variant of Micropsia. This malware was identified in 2017 and is used exclusively by Arid Viper, an Advanced Persistent Threat (APT) group believed to be based in Gaza and known as APT-C-23. Deep Instinct named the malware written in Go Arid Gopher.
“This new variant is still under development; all three files share a common baseline, but each file contains unique code that is not present in the other files,” said Deep Instinct researchers Simon Kenin. and Asaf Gilboa. wrote in an analysis on Monday. “In addition to the main implant, our investigation revealed ‘helper’ malware, also written in Go, and second-stage malware that was downloaded from C2 [command-and-control] server.”
Arid Gopher has basically the same functionality as Arid Viper; it is simply written in Go language.
“That’s also how we linked him to Arid Viper,” said Moshe Hayun, head of Deep Instinct’s threat intelligence team. The register. “We used code similarities and feature similarities. That’s how we found out it was the same actor, using the decompiler, reverse engineering, and looking at the features and how he does things.”
kenin said The register that writing the code in Go was probably a way to circumvent the detection. It’s not uncommon to see threat groups modify the programming language they use to keep malware under the radar. In his 2022 Cyber Threat Landscape Report published in February, Deep Instinct said that in 2021 the gangs shifted away from older languages like C and C++ to newer ones, including Python and Go, which are easy to learn.
Anti-virus engines may not be familiar with the structure or identities of executables produced from these new languages; a binary built from C++ might be in a malware database, but the binary from a Go rewrite might not be, giving its creators a bit more time to avoid be detected. Cyber crooks may also just follow software development trends, tools and libraries.
In the case of Arid Viper, its brains have used a range of programming languages, moving from Pascal and Delphi to C++, Python and now Go. What hasn’t changed is how the malware works. or what it is designed for.
“The APTs, their sole purpose is to infiltrate important assets,” Hayun said. “I don’t know if I’ve seen an APT transpose so many languages, like Delphi [and] Pascal, but the Go malware is kind of a trend now because it’s a new language, it has a lot of open-source libraries, a lot of libraries like helper functions to collect information from victim’s computers and stuff like that. I don’t know how unique it is. APTs do that. Their models exist in several languages. I don’t recall anyone in APT using those exact languages or transposing them to Go.”
According to Deep Instinct, the Arid Viper malware targets computers running Microsoft Windows and has been used primarily in the Middle East, with a particular focus on Palestinian targets. He has been linked to Hamas in the past, according to the researchers. There is also an Android strain apparently used against Israeli targets, and last year Facebook owner Meta released a report [PDF] which identified a nasty iOS developed by Arid Viper.
Deep Instinct has described the Arid Gopher variants it has discovered. Arid Gopher V1 is written in Go 1.16.5gs and includes code from libraries available on GitHub, which the researchers say “saves the author time by not having to write certain features from zero. It also adds a degree of legitimacy because these libraries are not malicious, but the malware author is abusing the capabilities of the libraries for malicious purposes.”
There are two versions of the Arid Gopher V2 variant which have been in use since the beginning of the year. Both examples were written in Go 1.17.4 and use some of GitHub’s public libraries which are in V1. A key difference between the two is the content of the benign documents they save on a victim’s desktop, the team wrote. Variants are emailed to targets in RAR .xz archives and unpacked with a long filename to hopefully make their .exe extension disappear. When successfully executed, they infect the host Windows PC, open a backdoor to a command and control server to receive further instructions, drop a decoy document on the desktop and display it so that the victim thinks which she simply saved and opened. an attached Word file and not malware.
The variants also continue Arid Viper’s use of popular TV show character names in their domain names. In V1, the name Grace Fraser is used in a domain name. Grace Fraser is a character in the HBO series The Undoing. In V2, one name used is Pam Beesly, a character from the sitcom The Office.
Gilboa and Kenin say deep learning gives them an edge over rival cybersecurity vendors in finding malicious code. The researchers wrote that some competitors rely on manually tuned heuristics, or manually selected features that are fed into classic machine learning models, to determine whether a file is malicious or legitimate. Other methods include running programs in a sandbox to get more information.
Rather, Deep Instinct trains models to learn as they go.
“Researchers manually review the samples and then update their signature mechanism,” Hayun said. “We do it a little differently. We take huge amounts of data, so there’s a very high probability that our deep learning models have seen something similar before.
“They say, ‘I’ve seen something similar. I know this and this and that will increase the likelihood of something being malicious,’ so the next time something somewhat similar enters the pattern, it say, ‘I’ve seen something similar’ like that. I’ll give it the highest grade for being so malicious.'” ®