Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Golang. Show all posts

Titan-Stealer: A New Golang-based Info-Stealer Malware


Recently, a new Golang-based information stealer malware, named ‘Titan Stealer’ is being promoted by threat actors in their Telegram channel. Initial details regarding the malware were discovered by cybersecurity researcher Will Thomas in November 2022 by using the IoT search engine Shodan. 

Titan is advertised as a malware builder that enables users to alter the malware binary's functionality and the type of data that will be extracted from a victim's system. 

The malware, when launched, initiates a technique called ‘process hollowing’ in order to disseminate the malicious payloads into the memory of a legitimate process called AppLaunch.exe, Microsoft’s .NET ClickOnce Launch Utility. 

According to a recent report by Uptycs security, researchers Karthickkumar Kathiresan and Shilpesh Trivedi say, “the stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.” 

Targets of The Info Stealer 

The Titan Stealer has been targeting web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. The crypto wallets singled out are Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash. 

Additionally, it has the ability to collect data from the Telegram desktop app and compile a list of the host's installed programs. 

The gathered information is then transmitted as a Base64-encoded archive file to a remote server under the attacker's control. Additionally, the malware includes a web panel that enables threat actors to access the stolen data. 

How is the Titan Stealer Operated? 

The exact approach used to distribute the malware is still unclear, but the threat actors have utilized numerous methods, such as phishing, malicious ads, and cracked software. 

"One of the primary reasons [threat actors] may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS," says Cyble in its analysis of Titan Stealer. "Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software." 

The findings come a little over two months after SEKOIA unveiled Aurora Stealer, another Go-based malware that is being used by a number of criminal actors in their campaigns. 

The malware often spreads through websites that mimic a renowned software, with the same domains being continuously updated to host trojanized versions of different programs. 

It is also found to be taking advantage of a tactic called padding in order to artificially inflate the size of the executables to as much as 260MB by adding random data, in order to evade detection by antivirus software. 

By Attacking Healthcare, Education, and Government Systems, FritzFrog Botnet Grew Tenfold

 

The FritzFrog botnet, which has been active for over two years, has revived with an alarming infection rate, growing tenfold in just a month of attacking healthcare, education, and government networks via an unprotected SSH server. FritzFrog, a malware developed in Golang that was discovered in August 2020, is both a worm and a botnet that targets the government, education, and finance sectors. 

The malware fully assembles and executes the malicious payload in memory, making it volatile. Furthermore, because of its unique P2P implementation, there is no central Command & Control (C&C) server giving commands to FritzFrog. It is self-sufficient and decentralised. Despite FritzFrog's harsh brute-force tactics for breaching SSH servers, it is strangely efficient at targeting a network equitably. 

Guardicore Labs has been monitoring FritzFrog with its honeypot network for some time. "We started monitoring the campaign’s activity, which rose steadily and significantly with time, reaching an overall of 13k attacks on Guardicore Global Sensors Network (GGSN). Since its first appearance, we identified 20 different versions of the Fritzfrog binary," said the company in a report published in August 2020, authored by security researcher Ophir Harpaz.

Researchers at internet security firm Akamai discovered a new version of the FritzFrog malware, which has intriguing new features such as the use of the Tor proxy chain. The new botnet variation also reveals signs of its operators planning to enhance capabilities to target WordPress servers. 

Athough the Akamai global network of sensors identified 24,000 attacks, the botnet has claimed only 1,500 victims thus far. The majority of infected hosts are in China, although affected systems can also be found in a European TV network, a Russian healthcare organisation, and other East Asian universities. The perpetrators have included a filtering list to avoid low-powered devices like Raspberry Pi boards, and the malware also includes code that lays the basis for targeting WordPress sites. 

Given that the botnet is renowned for cryptocurrency mining, this feature is an odd inclusion. However, Akamai believes that the attackers have discovered new means of monetization, such as the deployment of ransomware or data leaks. This functionality is currently dormant while it is being developed. The researchers point out that FritzFrog is always in development, with bugs being resolved on a daily basis. 

FritzFrog targets any device that exposes an SSH server, therefore administrators of data centre servers, cloud instances, and routers must be careful, according to the researchers. Some security tips from Akamai include enabling system login auditing with alerting, monitoring the authorized_hosts file on Linux, configuring an explicit allow list for SSH login, and so on.

A New Ransomware Variant Based on Golang has Surfaced

 

Threat actors are increasingly using ransomware developed in the Go programming language; Babuk, Hive, and HelloKitty, as well as a slew of additional Golang-based threats, are among them. Google introduced "Go," a statically typed, object-oriented, cross-platform programming language. Go is comparable to C in syntax but adds memory safety, garbage collection, structural typing, and concurrency in the CSP style. Because of its domain name, golang.org, the language is often referred to as Golang, but the true name is Go. 

DECAF is a new ransomware strain discovered by Morphisec Labs, which was incorporated in Go 1.17. In late September, the first version, which includes symbols and a test assertion, was discovered. The attackers rapidly stripped the original alpha version, inserted more functionality, and posted this stub version to test its detection score. They had a fully weaponized version on a customer site inside a week. 

Go 1.17 is the most recent release, six months following Go 1.16. The majority of the modifications are made to the toolchain, runtime, and libraries. Go 1.17 includes three small enhancements to the language, they are: 

 • Conversions from slice to array pointer: An expression s of type []T may now be converted to array pointer type *[N]T. If a is the result of such a conversion, then corresponding indices that are in range refer to the same underlying elements: &a[i] == &s[i] for 0 <= i < N. The conversion panics if len(s) is less than N. 

 • unsafe. Add: unsafe. Add(ptr, len) adds len to ptr and returns the updated pointer unsafe. Pointer(uintptr(ptr) + uintptr(len)). 

 • unsafe.Slice: For expression ptr of type *T, unsafe. Slice(ptr, len) returns a slice of type []T whose underlying array starts at ptr and whose length and capacity are len. 

The data required for the ransomware's malicious activity is set up during the initialization stage. The malware begins by interpreting the --path command-line argument, which indicates the root directory where the ransomware will begin encrypting data recursively. The malware's next task is to determine which directories it should encrypt.

It checks if --path is set, and if it isn't, it runs FileUtils.ListDriverRootPaths(). Researchers discovered that ListDriverRootPaths iterates over all potential drives, looking for drives with a type other than DRIVE_CDROM. The malware's final action in this is to construct a WMI object for later use.

GitHub Brings Suite of Supply Chain Security Features to Go

 

GitHub has released a number of supply chain security updates for Go programming language modules.

In a blog post published on July 22, GitHub staff product manager William Bartholomew stated that Go — also known as Golang is now firmly ingrained in the top 15 programming languages on the platform and that as the most famous host for Go modules, GitHub intends to assist the community in discovering, reporting, and preventing security vulnerabilities. 

Go modules were launched in 2019 to help with dependency management. As per the Go Developer Survey 2020, Go is now utilized in the workplace in some form by 76 percent of respondents. 

Furthermore, Go modules are becoming more popular, with 96 percent of those polled indicating they use them for package management, up 7% from 2019, and 87 percent saying they use exclusively Go modules for this reason. 

According to the results of the survey, the usage of other package management solutions is declining. As per GitHub, four major aspects of supply chain security enhancement are now available for Go modules. 

The first is GitHub's Advisory Database, an open-source repository of vulnerability information that presently has over 150 Go advisories at the time of publication. Developers can also use the database to get CVE IDs for newly identified security flaws. 

"This number is growing every day as we curate existing vulnerabilities and triage newly discovered ones," Bartholomew added. 

GitHub has also released its dependency graph, which can be used to track and evaluate project dependencies using go.mod, as well as warn users when risky dependencies are discovered. In this version, GitHub has also introduced Dependabot, which will notify developers when new security flaws in Go modules are identified.

To fix vulnerable Go modules, automatic pull requests can be enabled, and notification settings have been enhanced for fine-tuning. According to Bartholomew, repositories are enabled to automatically create pull requests for security updates, dependencies patch up to 40% faster than those that do not.

A New GoLang Trojan ChaChi Used in Attacks Against US Schools

 

A new Trojan written in the Go programming language has shifted its focus from government agencies to schools in the United States. 

The malware, termed ChaChi, is also being utilized as a critical component in initiating ransomware assaults, according to a research team from BlackBerry Threat Research and Intelligence. ChaChi is built in GoLang (Go), a programming language used with threat actors as a replacement for C and C++ because of its flexibility and simplicity of cross-platform code compilation. Over the last two years, there has been a 2,000 percent growth in Go-based malware strains, according to Intezer. 

ChaChi was spotted in the first half of 2020 and the original variant of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local government bodies, as documented by CERT France in an Indicators of Compromise (IoC) report (.PDF); nevertheless, a considerably more sophisticated variation has since emerged. 

The most recent samples have been linked to attacks against significant US schools and educational institutions. In comparative analysis to ChaChi's first variant, which had inadequate obfuscation and low-level capabilities, the malware can now conduct typical RAT operations such as backdoor creation and data exfiltration, as well as credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunneling, SOCKS proxy functionality, service creation, and lateral movements across networks. 

For obfuscation, the malware makes use of gobfuscate, a publicly accessible GoLang utility. ChaChi gets its name from two off-the-shelf tools used by the malware during attacks: Chashell and Chisel. 

The Trojan, according to BlackBerry experts, is the product of PYSA/Mespinoza, a threat group that has been active since 2018. This group is renowned for employing the extension to launch ransomware operations. 

PYSA stands for "Protect Your System Amigo" and is used when victim data are encrypted. PYSA attacks against both UK and US schools have been on the rise, according to the FBI. PYSA, according to the group, emphasizes on "big game hunting," or choosing wealthy targets with large wallets capable of paying large ransoms. Rather than being a work for automated technologies, these attacks are targeted and often handled by a human operator. 

The researchers stated,"This is a notable change in operation from earlier notable ransomware campaigns such as NotPetya or WannaCry. These actors are utilizing advanced knowledge of enterprise networking and security misconfigurations to achieve lateral movement and gain access to the victim's environments."

Golang: A Cryptomining Malware that Maybe Targetting Your PC


Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.


The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

StealthWorker: Manipulates Compromised E-Commerce Websites To Attack Windows and Linux Platforms




A new brute-force malware which goes by the name of StealthWorker was recently uncovered. This malware allegedly uses compromised e-commerce websites to steal personal data.

The platforms that have majorly been affected by this malware are Linux and windows.

Personal information and payment data are the basic motivations behind these malware attacks.

The malware is written in a very unique and rarely used language “Golang” which is already being used by the Mirai botnet development module.

To make all this happen the e-commerce websites are first compromised by employing an embedded skimmer.

The vulnerabilities of the websites are manipulated by either battering the plugin vulnerabilities or making use of a Content Management System (CMS).

The malware emerged while the researchers were analyzing the command and control server (5.45.69[.]149).

That’s where they found the storage directory with samples intending to brute force a source admin tool.

There have been previous versions of this malware which had only windows on their radar.

But the latest version happens to have server payload binaries to get into Linux as well.

One of the samples that the researchers were working on is “PhpMyAdminBrut_Windows_x86.exe” where an IP was found which led to a web panel login with an array of new samples.

Some open directories were also found which comprised of new file names which indicated towards IoT devices with ARM and Mips structures.

StealthWorker works on a routine execution to ensure that the malware stays even after the system’s rebooted.

The researchers also used the IDA python script to look for other f malicious functions.

Out of research it was also found out that other platforms and services are also on the target list namely, FTP, Joomla, cpanel, Mysql, SSH and others.

Furthermore, other major moves are also being made on the part of the cyber-cons towards infecting an extensive variety of platforms.