Aluma Lavi Shaari - Golang Malware: Using the attackers force against them

i am ready to introduce our next fantastic speaker and she is a first-time speaker here at besides tel aviv 2021 aluma thank you for joining us i'm going i'm going to tell you a little bit about the romani yes please give her an applause now we join her here cheers aluma and inbar are sharing a chaser which is a long time b-side tel aviv tradition followed the tradition of hacker conferences from around the world so aluma is a cyber security and malware researcher at cyber arc i think malware researchers are some of the coolest people i know because they can talk to malware and understand things that you know i went to a malware reverse engineering workshop once and i

just have such a respect for the work that you do well done and actually she has a really cool fun fact you will never guess but aluma's life goal is actually to travel all around the world and take a picture of herself taking a handstand that's incredible i can't take a handstand even without traveling the world so i can't even imagine i should try it definitely i will maybe you can teach me so today aluma is going to talk to us about malware in go lang go lag malware aluma the stage is yours thank you very much thank you hi everyone good morning thank you very much for having me thank you for coming i'm very excited to be here today

i'm aluma i've been working in information security world for the past seven years and i currently work at several clubs i like to say that by day i'm a malwa researcher and by night i'm also a malware researcher and i'm here today to talk to you about golang malwals to be or not to be that is the question whether the snobbler in the mind to suffer the slings and arrows of outrageous fortune or to take arms against a sea of troubles and by opposing end them these are only a few of the lines that i found inside a golan malware and i'm here today to tell you why do we care about that and how can we as defenders benefit from

that go language aka golang has been released 12 years ago and since then has become one of the most popular languages around many programmers say it is the new python and they prefer it because it's easy and simple to use and like the programmers so is the attackers which many of them are now transforming to writing their malwares using golang and now that i've confused you with some random color for malware names let's continue so what's so special about golden malware is there an actual difference between a malware written in golang and in malwa written in any other language well yes and very golang is statically linked which means that it has all of it its import

functions inside of it instead of having an import table and call function that's in the system you're running on then if golang imports a package it also compiles with the package in its binary in addition the assembly that consists a golan program is much different than any other language because golem is supposed to be fast then it doesn't bother to push the arguments into the stack and to call this to clear the stack after the function returns so when you're opening a golem malware in ida and try to look at its assembly you won't see any push and pop commands which makes it kind of weird for a malware researcher who's used to analyze any other

malware so until now i talk to you how much golem is good for the attackers and bad for the defenders but that's not sorry but that's not the subject of this talk at the rest of the this lecture i'm going to show you actually how golang is good for the defenders and how we as defenders can use its properties for our benefit today everything is open source right episode open source is fun it's cool it helps you to share your code with the rest of the world it's to help you to contribute to projects that were written by people you don't even know and golang as being the modern and updated language it is obviously has to use some open source

and indeed golden uses a lot of open source packages now if you write a program in golang then you'll most probably want to use some open source packages because there are ton of tons of them and they are very easy to find actually there are some websites that are destined only for this purpose for helping you find the proper package for your code now not again not just you but also the attackers would use many packages for the code it saves them a lot of time and effort well there's a catch because whenever you're using a package in your golan code then the name of the package appears in clear text inside of your binary

and whenever you're opening a golang malware or any golden binary you could see the entire list of names of the packages that were used by the malware well okay that's fine but what else so because golang has so many different packages because it's open source and anyone can write their own packages then the odds that two malwares or two any samples would have the exact same set of packages and they won't be related to each other are very very old very very small so what we can do with this information is we can take our malware get the list of the packages which is you know very easy to do and then combine a very simple yahoo and sign it

to find some other samples that are related to the same attacker again the odds that we will find will have a false positive and have a different sample that's not related at all are very very small and this is only because golem used packages and it handed us a weapon to find some other like it let's talk about timing well if you are here then if you are a malware researcher or an ir investigator or maybe apt hunter then you know that you must have the timing of your attack which means the timestamps of the tools that were used in the attack timing is very important you need to you need it um to understand when did that the attack

happened or to understand the difference between different tools or if you're researching a large attack group then you'll want to understand what tools came before what and what new functionality does the malware have and also the evolution of the group which results in the new functionality of the malware anyway timestamps are important well if we're dealing with windows pe files then this information is mostly easy to get we actually have this information inside of the p structure you just go as you can see this is one example obviously you can go to the empty headers and the image file header then there is a small field but useful which results in the timestamp it's very

easy to just open yourself the file and get this information and also you can use one of the um any windows tool you like such as a pe explorer and cff explorer any other well that's fine but what about linux file as you all know with the increasing usage of cloud servers today so is increasing usage of linux malwares then we as defenders as malware researchers we need to have the same set of tools that we have for researching windows for linux well there is a small in problem that linux files elf files do not contain the compilation time stamps in them some of the compilers actually do but not all of them well we need that information that's

where actually golan come in help so let's go back we said that golan contains some packages now if we take a good look at those packages and we'll search them in github then we can see that most packages have different releases well that makes sense because you know whenever you're uploading your code to github then you'll probably want to update it from now and then so every package almost have different releases and each of these releases has its own release date so this is a date we can use if we can understand what release of the package was used in our malware then we can get the release date which is a minimum date for our malware to be compiled because

obviously we can't use a release version that wasn't released yet well that's great but we said that i can understand the package that was used how can i get the exact release let's think about it i can you know search for a string that tells me hi i'm release and the on but uh that's not a very good idea so what other differences are there between different releases of the same package that's right there are functions because obviously when you're up updating your code then you'll add some more functionality therefore some new functions so all we have to do now is get the list of the functions of the package from our malware and again because gorang is statically

linked then we have this information and compare this list of functions against the different releases of the package and then we can see that some of the pack of the functions was were added in the second release so we understand that the release date of this release is a minimum date for our malware all we have to do now is do the same process for each of the packages that is used in our malware and then combine this beautiful table up here and then all we have to do is just get the latest of those dates and this is the possible earliest possible date for our malware and this is information that golang helped us to get

because in other language we wouldn't be able to get this information for a linux elf file now let me tell you a story once upon a time in a one bright shiny day i came into my office i put my bag in my seat i went to the kitchen made some cup of coffee said hi to my friends then i sat down opened my pc opened the findings i have from yesterday uploaded the idb back then i was researching a golden malware named kim singh now back then i already had some good idea what's going on i had some pretty nice findings so i was kind of kind of cool but then i wanted to make sure that i

didn't miss anything important so i opened this twins window in ida and then a strange and long string just popped up to me and caught up my eye and that was this string now for any of you who doesn't recognize this is a line from the hamlet play which was written by the great almighty shakespeare well this is kind of strange so i tracked the offset of this line and then i found this which is the entire text of hamlet play inside of kinsling malware and this is kind of how i looked when i saw it well after laughing about it and joking about it with my friends i started thinking okay why what does it do though

and i started digging in and i saw some researchers from other companies who have already seen this evidence and most of them were like okay so it's probably um maybe to increase the size of the file or to make investigate all things it's i don't know a hamlet play inside an i i don't know anyway arden said that the purpose of hamlet being in kensington malware is to hide the malware the fact that it's the malware or the malware functionality well that didn't make so much sense to me because there are so many way better ways to hide your malware so i kept thinking and actually i came up with a different idea now let's take a quick break please

raise up your hand any of you who's ever downloaded an open source tool and run it in your computer it can be any script it could be any python tool any whatever including me actually great thank you very much now please keep your hand up if whenever you're doing that you're checking the code that you're downloading and making sure that it does just what you think it does and only what you think it does really i would like to talk with you afterwards anyway most of us don't i specifically don't everyone i know doesn't so let me tell you something no one ever checks the source code no one i've never met anyone if i would

like to speak with you and with everyone who does well it's not just you guys and me it's also the attackers who writes the malware so when i kept researching and digging in i saw that there is a code that's actually referencing this hamlet play so i went to this code and i tried to figure out okay what and you can see this the snippet from ida right here but that code isn't of the program itself it actually of one of the packages that is used in the malware and when i went on and i tried to understand the package and and like what the hell um i went to the packaging in github and

then i saw this the package that is used in the malware is packager packet which is written by mark bates now look at its path we can see that inside of the mall of the packager package you can see that there is another github package which was written also by mark bates which is named hepa now this is not a normal path of a package in github now let's look at the code this is the code from the hepa package now you'll have to excuse me for not put in here um the entire code of it it's kind of long but come and trust me about that this is the code from hepa and what it

does is simple let's say uh for a hypothetical scenario that you have written a very cool script for let's say maintenance your aws servers or azure resources well you have your script and it's cool and it's doing what it's supposed to do but you need to enter your credentials into it because when you want to access your remote resources you obviously need to authenticate now those credentials might be a password they can be a token anything you'd like but it it is probably hard coded in your script now let's say you want to share your awesome script with the rest of the world and you want to upload your script to github or any other website well then

you'll have to go line by line and make sure that you didn't forget any of your passwords in it now what hepa package does it's kind of cool actually um it's look through your code and make sure that you didn't forget any password there it looks for strings that looks like uh password or credentials or token or username or any of that and then it replaces your password with a random phrase from hamlet think about how cool it is when you're downloading a square that's meant for aws servers and then you find like to be or not to be inside of the script kind of cool the next question you're going to ask me is

okay cool but why would a malware use it that's a great question thank you but actually it doesn't well the kinseng malware as we said doesn't use this code this code is just a part of the package and let's go back we said that here we have the hep package inside of the packager package well this is a mistake and i know that because no other version of the packager package contains the helper package and only a few days after this release was released mark bates released a new release a new version of the code which does not include the hepa package so what happens i guess is that when mark bates programmed the packager

package by mistake he had the also the helper package in of its inside of its repository and then he helped he uploaded them both and bad luck but when the kinsen malware also downloaded the packager package he also downloaded the heavy package and without knowing it inserted it into the malware so until now it's a it's a fun story right like the malware also by accident inserted some uh full play into its malware but what can we do with it with this except for making love and fun with friends let's think about it well that i now i know that um the model contains the harmless play right so i can get some yahoos and

they're actually very simple yaraull i can get a yarrow that contains some of the hamlet text and then try to search for some other samples related well believe it or not it's working and i got like 30 more samples of kinsing just with this uh signature but now you're going to tell me wait but in the beginning of this lecture you said let's use the packages for signing so why use also hamlet well you write again thanks so this is not very interesting because we have better urls what else let's think about it we know that the author of the malware doesn't check the code that they are using inside of the malware well it

means that we can put there any code we'd like and it would run inside of the malware let's say we have a package that does something and the malware wants to use this package but then the code in the mail in the package actually does something else well i can't expose here what we did or didn't do with this information in cyber clubs but i think you can imagine it for yourself and you can think by yourself of the enormous world of possibilities that just opened up to us so we've talked about the packages in the golang malwa that helps us to sign it very quickly and very easily we've talked about the timestamps issues that go on actually

helps us to get the timestamp of a malware even if the file itself doesn't contain it and we've also talked about the huge world of people who doesn't check the code that they're running including the malware authors so i'm not going to tell you if you should write your malware with golang or not that's all up to you but if you do make sure you're not making the life of who's ever hunting you much easier thank you very much