The Gopher in the Room: Analysis of GoLang Malware in the Wild

In recent months, I have taken a keen interest in malware written in the Go programming language. Go, sometimes referred to as GoLang, was created by Google in 2009 and has gained additional popularity within the malware development community in recent years.While there have been an increased number of blogs in recent years discussing Go malware families, I wanted to know if this programming language was indeed on the rise when it pertained to malware. Additionally, I was curious what malware families would be most prevalent, as there is a notion among many that Go is primarily used by penetration testers and red teamers. With that in mind, I set out to collect as much malware written in Go as possible, and cluster it by malware family. The blog discusses my methodology of data collection and my results.

The Gamaredon Group Toolset Evolution

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.

Exploring the Cybercrime Underground: Part 3 – Into the RAT Nest

In this third part of Unit 42’s Cybercrime Underground blog series, we’re taking a slightly different approach. In this blog we begin with data from a real attack in the wild, and use the evidence from that attack to make a connection back to underground forums and the actors who are using them. Rather than starting

2016 Updates to Shifu Banking Trojan

Overview Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others. Palo Alto Networks Unit 42 research has

Review of Regional Malware Trends in EMEA: Part 1

Introduction As we head towards the end of the year it’s common to reflect on the year almost behind us and to predict what the new year approaching will bring in terms of security challenges. This blog is part of a series that describe malware trends seen in the EMEA (Europe Middle East and Africa)

Palo Alto Networks Unit 42 Vulnerability Research December 2016 Disclosures

As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have reported six vulnerabilities that have been fixed by Apple, Adobe and Microsoft. This includes two vulnerabilities in Apple WebKit and impacts iCloud for Windows, Safari, iTunes for Windows, tvOS and iOS. CVE-2016-7639: Tongbo Luo CVE-2016-7642:

Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue

Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit).  As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE