In recent months, I have taken a keen interest in malware written in the Go programming language. Go, sometimes referred to as GoLang, was created by Google in 2009 and has gained additional popularity within the malware development community in recent years.While there have been an increased number of blogs in recent years discussing Go malware families, I wanted to know if this programming language was indeed on the rise when it pertained to malware. Additionally, I was curious what malware families would be most prevalent, as there is a notion among many that Go is primarily used by penetration testers and red teamers. With that in mind, I set out to collect as much malware written in Go as possible, and cluster it by malware family. The blog discusses my methodology of data collection and my results.
Unit 42 has discovered a new version of CardinalRat which we first discovered in 2016. This new version targets financial technology companies, primarily in Israel. It includes new anti-analysis capabilities, including the use of steganography. In addition to our research, we include a new Python script to decrypt the steganographic payload.
Since at least 2015, a suspected South Asian threat grouping known as BITTER has been targeting Pakistan and Chinese organizations using variants of a previously unreported downloader. We have named this malware family ArtraDownloader. Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia.
Unit 42 uncovers a campaign leveraging a previously unreported customized dropper used to deliver lures primarily pertaining to the South Korean and North Korea region.
Reaper Group uses custom malware family called DOGCALL to deploy RAT. Get the full report.
Unit 42 uncovers NOKKI, a type of malware with ties to the previously discovered KONNI malware family, used to attack Eurasia and Southeast Asia.
Slithering between nation state and cybercrime: Unit 42 examines the Gorgon Group’s unsophisticated yet effective attacks. Read the full report.
Unit 42 investigates the RANCOR group’s use of DDKONG and PLAINTEE malware families to deliver targeted espionage attacks in South East Asia
Unit 42 investigates the rise of cryptocurrency miners.
Unit 42 unravels TheBottle’s activities and his newest malware family
Unit 42 observes the Patchwork group continuing to use weaponized legitimate documents to deliver their updated BADNEWS payload.
Unit 42 discovers ComboJack, a new currency stealer that alters clipboards to steal cryptocurrency.
Unit 42 observes Russian BitTorrent site covertly mining Monero cryptocurrency to its users
Unit 42 tracks a series of attacks that use a remote backdoor malware family named Comnie
Unit 42 observes a wave of attacks leveraging popular third party services to deliver malicious decoy documents.