This article discusses the rise of Golang in malware development and the challenges posed by obfuscated Golang binaries. Volexity introduces GoResolver, an open-source tool that improves the analysis of such malware by utilizing control-flow graph similarities to recover obfuscated function names. This development significantly enhances the ability to understand and reverse-engineer malware samples. Affected: malware developers, reverse engineering analysts, cybersecurity professionals
Keypoints :
- Golangβs popularity among both legitimate and malicious developers is on the rise.
- Volexity encounters many Golang malware samples that use obfuscation techniques.
- Obfuscated Golang binaries are more challenging to analyze for reverse engineers.
- GoResolver is an open-source tool developed by Volexity to assist in retrieving obfuscated function names.
- The tool employs control-flow graph similarity techniques to enhance symbol recovery.
- Garble is a noted obfuscator that complicates the analysis of Golang binaries.
- Control-flow graphs provide insights into the behavior of a binary, aiding in identifying similar algorithmic paths.
- GoResolver can identify the Golang version used to build the sample, improving analysis efficiency.
- The tool integrates seamlessly with IDA Pro and Ghidra to enhance reverse engineering workflows.
- Future updates for GoResolver will include enhanced features for even better analysis.
MITRE Techniques :
- T1552.001: Application Layer Protocol: Hypertext Transfer Protocol (HTTP) β Utilization of HTTP protocols to communicate data.
- T1587.001: Acquire or Create Tools: Acquire obfuscation tools like Garble to hinder analysis.
- T1609: Terminal Services and Remote Desktop Protocol: Potential use of these protocols to maintain access, as indicated by function names related to execution.
Indicator of Compromise :
- [Sample Hash] 1df2cd0d12e5028d5dbda33a4e4404e0
- [URL] https://github.com/Volexity/GoResolver
- [Domain] Volexity.com
Views: 28