Golang is Google’s open-source programming language, which in recent years has gained attention among developers. It is not only used for good purposes but, in a developing trend, malicious intent is often observed in Golang code.

The fact that Golang supports cross-compiling makes it a tempting option for IoT malware attacks. This has resulted in a proliferation of IoT malware written in Go. For this reason, we decided to dive deeper and develop our own toolset to become more effective at combating Go malware.

When it came to dissecting Go malware, reverse engineers found themselves faced with a hurdle. Go presents new challenges that make the binary analysis more difficult. Go binaries are usually statically linked, requiring analysts to do a lot of manual work in figuring out which function is a system library. In order to aid and automate this process, we have created custom scripts for Ghidra.

When compiling a Go binary, debug information such as strings, variable and function names and method names are usually saved inside the binaries. If these properties are absent, reverse engineering becomes harder: malware developers know this. That is why they have started to abuse open-source projects like gobfuscate, which obfuscates all debug information in the source code and compiles the binary without it.

Threat actors have recently started to distribute Linux malware encrypted with a new crypter called Ezuri. Ezuri is a crypter and a memory loader, which is misused as a wrapper for malicious binaries in order to evade detection by anti-virus vendors.

The talk will consist of:

• Introduction to IoT malware families written in Go.
• Discussion of the unique features and hurdles of Go binaries.
• Tackling common problems when reverse engineering Go malware.
• Sharing our Ghidra scripts that we use during reverse engineering.
• Investigating the recent developments around Golang obfuscation and Linux crypters