The Allure of Go's Cross-Platform Capability: A Gateway for Threats

Uh hey everyone am I audible? No I think I can. Hey uh uh first of all thanks to Bside organizers so for having me here. Um so yeah as we can see uh today's talk is about Golang malware specifically for Mac and Linux platform. uh we know like uh the telemetry is more into Windows side but we do have a lot of things to cover on Linux and Mac as well. So this is about this uh this is me uh currently working at Palotto networks pre sorry previously I was at crowd strike. So my day-to-day job uh is around malware and threat research. So if I am not you know like reversing malware or threatening or

doing any stuff related to malware. I usually go you know like tracks in Himalayan or like mountains. So this is me. Yeah. So this is today's agenda like we will look uh how Golang is used on both the platforms and how a single script can be used you know like to do maybe I mean we can say you know like benign on malicious things both and then following that uh we'll look uh how we can reverse engineing and do basic analysis so we'll not go much you know like in deeper set because of the time constraint but we'll see like how exactly we like what are the things we should be focusing on. So this will be

my goal to you know like quickly cover everything and you obviously like uh after you know like everything completing everything like analysis and reverse engineing so our focus is uh adding detections because that's the end goal uh and then obviously like hunting in the wild how we can like use basic techniques to get latest samples or you know like similar uh focusing on again Mac on Linux Mac and Linux and like uh we'll talk about uh some basic future developments what we can expect. So we can say uh you know like go language itself is uh really good. Uh you just write code once and you can you know like use it everywhere. Uh so it has a

lot of capabilities just yeah so first of all static linking uh cross compilation like I've mentioned and uh you know like it has multi- threading with with go routines we'll see in the some we'll see with some case studies of real malware samples uh we can see here with just using two environment variables like go o and go architect go arc we can you know like compile a single code for Linux and Mac both. This is a classic example of how a single script you know like this is used for a kind of a basic idea about how we can do the persistence on Mac and Linux. So on Mac it's launch agent and on Linux

it is auto start and yeah we can see uh it is it again uses go for you know like getting the OS version. Uh yeah. So this is the basic idea of how uh Go is good for developers but focusing on as a defender as a you know like detection engineer or reverse engine we need to understand like how we can understand like how we can use ghost capability to like on our side I mean uh how we can improve our detection capabilities. So as a defender it is quite you know like huge in size because of static linking. We can see some common malware families with sizes. So generally uh it's not fixed mostly you know like on ISO ISO or

zip files they are quite huge in sizes but most of these malware samples are you know like they are around 1 MB or less than 1 MB but most of the Goleng malware are huge in sizes like 4 MB plus uh like for example here uh then obviously stripping the binders uh which is common for all the malware but again because we are you know like talking about more into Mac, Mac and Linux. So yeah again just to hinder the uh you know like basic analysis then uh detection evation. So uh talking about you know like product perspective. So a lot of the a lot of AV vendors or EDS nowadays. So they have some limitation

with uh file sizes for example you know like X company or X product cannot evaluate file who have you know like Y size for example 5 MB or 10 MB. So that's how all I mean that's how Golang you know like can bypass some basic edr or a but nowadays like products are really good but the these are still used um again uh comparing to Windows we don't talk much about uh Mac and Linux uh these two platforms so again uh this is the classic growth of Mac and Linux uh like with go malware so like I have started started working looking into go malware since you know like last four five years. So at that time there

was not too too many go samples but still uh they're like the threat actors have started using these uh the like this language Golang and especially in like last two years we have seen almost like you know like 60% increase uh in the telemetry. Uh this is the uh like basic uh chart we can see. So uh you know like like like I've said initially so windows is more uh in day-to-day you know like telemetry if you see any open source platform or anywhere so 80% of uh the telemetry is around windows but you know like 10 or 15% is around Linux some Mac and then least for Android so but here we can see

uh you know like some around 20% Mac 33 or 34% Linux and like 46 or 47% for both because Again we are talking about you know like cross compilation. The these are some common malware families. Uh if I think you might have heard of some of these families. So they I know like target specific platforms and sometimes both uh they are you know like ransomwarees, red botn nets, crypto miners uh again some uh you know like supply chain attacks as well uh uh with uh some grow crossplatform capabilities and some has some partial capabilities and some you know like even when we see detection we'll see how difficult it is right to not too difficult But yeah, it is quite you know

like tricky to play with go samples especially on the detection and reversing side. So we'll see. Let's look at some case studies. So first of all like my focus is not actually analyzing the malware sample but focusing more on how you know like a particular malware family or threat actor used go library libraries or go routines for their own purpose. So yeah. So let's look at this c2 stealer. uh this is this focused on Mac OS quite not I would say a recent one but yeah it's been like almost a year or so uh we have seen sidulu stealer uh uh we'll see build ID uh we can see size so keep this build ID I mean uh you know you know

like keep remember this versions so this we will uh you know like talk about more about when we when we'll discuss about detection part again the size as we have seen uh you know like high in size. So let's see what are the capabilities of this citulus stealer. We can see obviously you know this is a stealer so it tries to grab something from the platform for example you know like targeting Chrome, Firefox and browser related data and lot more. So it actually reads escalate via this uh repo we can see and for credential dumping it uses OS Apple OSS script which is actually Apple script which uh actually you know like gives you a dialogue uh

and it tries to get some user info you user input it uses exec command via go and again keychain dumping again using exact dump and again it has some telegram capabilities. So we'll see uh you know like lot of go samples they have telegram capabilities because of easily integration of uh you know like telegram API. So uh this is quite I wouldn't say every sample it they have telegram capabilities but most of them have and especially the steelers not just go or not just for Mac and Linux but in general stealer try to you know like they tries to do use telegram for either excfiltration or you know like for infection or something but yeah

again it uses you know like OS user dot user for gathering basic info like user uh username, host name, IP addresses or OS version which is actually really useful to you know like further infect or understand uh like what's the user and like what is the platform and based on the data they collect they actually try to you know in infect further uh again it actually then after you know like collecting data the stealer try to zip everything together and then connect to C2 for exfiltration uh purpose. So again it uses standard library from go. Yeah this is basic offiscation like uh thus they try to you know like base encode like B 6 they use B 64 encoding

uh just for you know like uh for mostly for URLs just to kind of hinder uh detection or bypass some basic uh you know like uh rules I would say. uh this is basic script not actual malicious script or uh something from malware itself but just wanted to give a basic idea how this logic can be implemented on go uh but yeah don't use this uh for your own purpose this is just for education purpose so yeah you can take a reference again uh this is again example of zorat Linux sample we can see you know like for file system enumeration it uses file pathfor file acceleration And it uses TGbot API new document which we have

seen you know like uh again uh this is linked to telegram screenshot cap capturing using exec command and you know like system persistence again next is border go it is mostly into you know like IoT exploitation uh like we we can see with just uh you know like using go function it actually launches 30 plus exploits once at a And also it uses uh net.listen with just you know like a basic two lines of code to implement just to create you know like backd doorors. Uh again this is basic implementation of uh how this can be implemented like uh concurrent exploit execution and simple backd dooror listening. Then next is a jinx. I think if if we

have some pentest or redeemer here they must be knowing this tool. Um this is I think it it this is available in Kali Linux as well. I'm not sure I don't use much but uh I think it is available commercially as well. Uh so it it also uses go language. These are the advantages for aging uh you know like while using uh go like again you know like memory safeting it actually prevent crashes during high volume fishing campaigns. uh again crossplatform as we see you know like as we have seen same code same code base which actually runs on Linux, Windows or Mac uh kind of a you know like a diverse implementation with uh just a basic code

and then again uh TGbot API new message like we have discussed you know like using telegram API for telegram integration uh and also you know like sometimes they don't just use for either excfiltration or you know like initiation they they can use for you know like realtime notification they like using telegram bot API. So again this is basic example uh like how telegram bot initialization is implemented like uh and then sending captured sessions to telegram uh realtime proxy hunting with go http server uh basic example how this can be implemented in go. So these were the uh some case studies of uh you know like how go is used by threat actors to create malware. Again

uh this was not much of you know like actually analyzing the sample but I think you guys can have a basic idea of how uh you know like go is used or their libraries or go routines go routines are used. We'll see more into know like like reversing analysis. So this is theory part. So uh first of all you know like when you have given a basic malware sample or any sample uh whether it's just uh you know like malware sample benign or suspicious suspicious you do some basic you know like I would say static analysis or more into you know like theory how like what this binary is how uh like getting a basic idea about

binary so you just don't you know like uh try to copy it copy it in your VM and then uh you know like just execute it. So getting basic idea using static analysis or some theory I would say is a good first approach. So identify go binaries you know like finding go PCL and tab go uh like runtime do main these symbols or uh like sections is really good uh and we can use some you know like some tools like gom or go resolver uh so if you are if you don't have you know like IDA pro or if you are not you don't use IDA nowadays IDA is quite good with Golang but back days I think almost

a year or two years back we don't have too many scripts or open source tools to actually uh you know like help you with the uh like analysis. They will resolve a lot of things. Uh but uh the actual implementation or actual logic uh should be you know like use uh uh I mean implemented by the researcher itself. So then again analyzing go routines decoding strings. So and tracing external calls we'll discuss more in detection or reversing part. Let's move more you know like uh in to a practical approach. So uh you can use multiple tools like like I said you know like IDA or O tools or other CLI tools just to get the segments. Uh we can see go PSL

and tab and go build info. Uh now we have you know like we are pretty much confident that we are dealing with the go bindings again strings we know like strings are this is like very basic tool which we use uh you know like every time for irrespective of the platform or malware or you know like bindings we always use this. So we can we can see some basic info using strings like go build info and this is go version which we have seen in the case studies. So this is actually useful uh in you know like kind of a hunting or you can say detection part. Uh again some uh go routines like runtime main runtime

adjust frame. Uh yeah so this is string uh this is this was kind of a static part. Let's focus on you know like again this is a static part but let's focus on how actually you will you know like when you open it in any uh debugger or any tool uh how you will you know like start the appro what what what should be your approach. So we can just you know like uh just by checking the main functions uh I think you can uh just understand what this sample is trying to do. uh for example in this this is grabber. So these two screenshots are from different sample but again we have a good idea you

know like what this sample is uh they what they try what they will do uh but this is not always the case you will you won't find these mains functions. So uh once you open it in you know like any uh uh any like tool like IDA or githraw or anywhere you just like you know like there there will be you know like hundred of functions but start looking into main function just search and try to start from there. So this should be the only approach I would say I mean you can do static analysis more and more but it will just you know like uh like waste your time. So again let's discuss this

case. So as we can see this also this only has you know like main dot main functions not much uh functions other than main and main. So what we'll do in this situation so we will you know like trace back external calls via cross reference. Uh so I know uh I mean this is kind of a suspicious binary or I would say not I I won't say malware but kind of a suspicious binary. So I went to strings looked into exec command because I know this is a go sample from static analysis like I' have like we have discussed from exec command I've tried to you know like trace back from there and then reach out to actual

malicious code which is which actually tries to uh you know like stop some specific uh services on Linux. We can see some sunshine lip kill Linux uh function name. This name is quite obvious but just wanted to you know like give a basic idea of how we can trace back from external calls via cross reference and we can actually reach to the actual malicious code uh within the sample. Again debugging debugging is you know like almost similar to other malware samples but focus on main main domain function start from there even if you use some debugger for example if if in windows I don't want to talk much on windows but just wanted to you know give

you a basic idea if you want to do debugging on windows then I personally use x64 dbg IDA I think if I'm naming it naming it correctly. So this plugins actually copies comments and function names to your debugger and then you can you know like simply uh start the debugging if you if you don't use IDA. So this is a basic idea just go into main and start debugging from there. Don't you know like uh like look into other functions otherwise you will get confused because of the large binary size and you know like hundred of functions will be there. So it will be a little difficult to act actually you know like start from uh the main

functions or the first thing I mean which we actually look into other samples for example if it is written in C hash or C++ we actually just you know like execute the debug and it will take us to the uh initial point starting point but in case of Golang try to focus on main functions these these are some cheat sheet which we can use you know like for reverse engineing You can take uh a look at these uh tools. Some tools are specifically for you know like Mac, Linux, some are for both. So we can check. Let's talk about detection uh techniques for you know like uh like I said you know like uh for

static detection uh basic binary analysis try to get go build ID go versions which we have seen through strings or you know like some there are like some other tools which can get you go version which is actually really useful try to get some strings then like we have seen you like sections and segment analysis try to get some IOC's hardcore IO C's for example you know like hash uh impash or similar but in case of golang impach is not that much useful if uh I know like some of you folks might be using impach for other samples but impach is not that useful in case of Golang again because of stringing linking and uh so

this is a basic uh kind of a you know like rule uh yara rule which I have written you I mean any anyone can use this for kind of you know like and like for any purpose like writing detection or hunting. Let's focus on like some Mac OS specific detection techniques. For example, code signing violation. We know you know like most of the Mac OS binaries are signed. So if they are not you know like if they are unsigned or adox signed this is the obvious step you know like obvious thing that this particular binder is actually suspicious. We'll not be saying you know like this is this must be a malware or this particular bindary. If the

particular binary is unsigned then this is actually malicious. There might be some cases you know that uh some you know sometimes certificate may get expired but unsigned bindies obvious you know like especially in case of Mac OS this is and then again SIP monitoring system integrity protection uh you know like kind of a log monitoring for SIP violations we need to check gatekeeper and notoriization anomalies uh I mean we can see you know like how effective the detections are and how uh you know like difficult to write it. So this is a basic idea of how this can be implemented. Uh talking on Linux system call monitoring uh chron job elf boundary analysis on system b monitoring we can

use you know like estrays p trace and the best is ebpf. If you use uh this is really good to get you know like uh uh just monitor specific things related to go uh for example specific functions you know like eol weight or uh clone functions because uh these are quite heavily used in go so we can kind of use ebpf or s or ps for getting those things again implementation for uh logic implementation then again talking about you know like advanced detection techniques is go runtime detection, supply chain monitoring. We'll see in the next slide. I just uh I want to you know like quickly go through some of the last slides basic implementation again

uh I think you can take a look at this cheat sheet for detection uh what techniques we can use uh for a specific platform and and for both again and uh yeah so uh let's discuss quickly about the hunting uh you know like how we can hunt we can use multiple platforms but uh I have given you know like basic idea of how we can do it in uh IDA pro uh sorry uh virus total I know VT is available you know like even if you're not paid if it is not enterprise then it's still you can do basic searches so you can use these queries you know like the type is sizes high as we know Golang binaries are high

in sizes contain main domain and then positive how many detections you want so just you know like grab actual go malicious go malware in VT but we can use this logic everywhere Okay. Again, same for Mac OS. And this is uh you know like how we can uh you know like uh search go modules in public repos especially for supply chain attacks like uh you know like for uh in we can search in GitHub, GitLab anywhere any open source platform. cheat sheet for hunting uh how we can you know like what indicators we need to look on and then what are the detection method detection method for these things uh yeah uh future developments uh as we

know you know like uh everyone is crazy about AI so uh again uh like uh not just about go but in general uh like AI nowadays you know you you can even write create malware using some LLM models but don't try but I'm just you know like giving you an basic idea I mean L&Ms are capable to create basic malware and males script and then eBPF enhance capabil observability you know like deploying EBPF just to you know like get your low-level system calls or basic info uh supply chain verification like we have discussed I mean I know there like there like lot of things to discuss here but uh yeah I mean this is just a

basic idea and multi platform thread intel sharing for example you know if if you are writing detection for a for one platform then as we know Golang is you know like they have it has crossplatform capability so you know like maybe we write a detection for one platform then uh just by you know like tuning the rule we can use it for other platform as well so yeah this is uh it uh thank you uh uh I know this is quite fast one but because of the time constraint And I try to cover as many basic things as possible. So yeah, maybe uh next time uh you know like with some workshops focusing more on how we

can actually reverse engine uh samples but you can refer my some of my blogs I have written for crowdshe and palo alto uh where I have talked more you know like you know like about go samples itself. So and reach out to me if you have any doubts. So thank you. Thanks a lot.