Threat actors are increasingly using ransomware developed in the Go programming language; Babuk, Hive, and HelloKitty, as well as a slew of additional Golang-based threats, are among them. Google introduced "Go," a statically typed, object-oriented, cross-platform programming language. Go is comparable to C in syntax but adds memory safety, garbage collection, structural typing, and concurrency in the CSP style. Because of its domain name, golang.org, the language is often referred to as Golang, but the true name is Go.
DECAF is a new ransomware strain discovered by Morphisec Labs, which was incorporated in Go 1.17. In late September, the first version, which includes symbols and a test assertion, was discovered. The attackers rapidly stripped the original alpha version, inserted more functionality, and posted this stub version to test its detection score. They had a fully weaponized version on a customer site inside a week.
Go 1.17 is the most recent release, six months following Go 1.16. The majority of the modifications are made to the toolchain, runtime, and libraries. Go 1.17 includes three small enhancements to the language, they are:
• Conversions from slice to array pointer: An expression s of type []T may now be converted to array pointer type *[N]T. If a is the result of such a conversion, then corresponding indices that are in range refer to the same underlying elements: &a[i] == &s[i] for 0 <= i < N. The conversion panics if len(s) is less than N.
• unsafe. Add: unsafe. Add(ptr, len) adds len to ptr and returns the updated pointer unsafe. Pointer(uintptr(ptr) + uintptr(len)).
• unsafe.Slice: For expression ptr of type *T, unsafe.
Slice(ptr, len) returns a slice of type []T whose underlying array starts at ptr and whose length and capacity are len.
The data required for the ransomware's malicious activity is set up during the initialization stage. The malware begins by interpreting the --path command-line argument, which indicates the root directory where the ransomware will begin encrypting data recursively. The malware's next task is to determine which directories it should encrypt.
It checks if --path is set, and if it isn't, it runs FileUtils.ListDriverRootPaths(). Researchers discovered that ListDriverRootPaths iterates over all potential drives, looking for drives with a type other than DRIVE_CDROM. The malware's final action in this is to construct a WMI object for later use.