Intezer - Genetic Malware Analysis for Golang

Blog

Cybersecurity DNA

Genetic Malware Analysis for Golang

Intezer
20.11.19 | 4:51 pm
Share:
FacebookTwitterLinkedIn

Intezer Analyze now proudly supports genetic analysis for files created with the Golang programming language. Community and enterprise users can detect and classify malware written in Go, within seconds!

Why is this Important?
Golang, also known as Go, is Google’s open-source programming language which has become popular among developers in the Windows and Linux platforms. While well-known open source projects such as Kubernetes and Docker are written in Go, this programming language is being exploited by adversaries to develop malware.

Golang malware may still be in its infancy, but according to Palo Alto Networks we can expect Go-compiled malware to constitute a much larger market share of developed malware in years to come.

Even further, with the rapid growth of cloud infrastructure in recent years—and Linux becoming the predominant choice for cloud computing—Go malware could become a greater threat to enterprise cloud security.

Below are the Intezer Analyze features which are currently available for Golang:

    • Code reuse
    • View related samples
    • View the assembly code
    • Create vaccinations (code-based YARA rules) for proactive threat hunting (available in our enterprise edition)
    • IDA Pro plugin (available in our enterprise edition)

HTRAN Case Study
One of the advantages to genetically analyzing files written in Golang is being able to identify code connections between Windows and Linux executables. As evidenced by the recent discovery of ACBackdoor, cross-platform malware does exist between the two platforms.

HTRAN is a hacking tool used by adversaries to conceal their location when interacting with victim networks. Below Intezer Analyze has detected Linux and Windows variants of HTRAN which share code with each other:

  • Genetic Analysis of Linux (ELF) Variant
    This HTRAN Linux instance currently has 0 detections in VirusTotal. When you click on apt_golang_htran under the code reuse section you can see related samples, which includes the Windows variant (with only one detection in VirusTotal).

Screen Shot 2019 11 20 at 10.55.59 AM

Screen Shot 2019 11 20 at 10.41.58 AM

Screen Shot 2019 11 19 at 10.47.34 AM

Intezer Analyze Community
Intezer proudly supports Genetic Malware Analysis for Windows and Linux executables, in addition to Android APK files. If you’re not an Intezer Analyze community user we encourage you to sign up for free at analyze.intezer.com. Community users can upload up to 10 files and scan one endpoint per day in order to:

    • Detect code similarities to known malware, legitimate applications, libraries, and more
    • Detect advanced in-memory threats such as malicious code injections, packed, and fileless malware
    • Obtain insights about malware families and threat actors
    • Receive monthly updates about new features, research, webinars, and more

Additional Resources:

More about Golang Malware:

By Intezer

Intezer introduces a Genetic Malware Analysis technology, offering enterprises automated malware analysis for improving their security operations and accelerating incident response. Intezer’s platform provides a fast, in-depth understanding of any device or file by mapping its code DNA at the ‘gene’ level. By identifying the origins of every single piece of code within seconds, Intezer can quickly detect code reuse to known malware, as well as code that was seen in trusted applications.

Register to our free community

© Intezer.com 2019 All rights reserved