The FLARE team introduces GoStringUngarbler, a command-line tool to assist in deobfuscating malware written in Go and protected via garble. While garble employs various techniques to obscure strings in binaries, GoStringUngarbler automates the extraction of decrypted strings, aiding in malware detection and static analysis. The blog details garble’s string transformation methods and the workings of GoStringUngarbler in reversing these obfuscations.
Affected: Go applications, malware analysts
Affected: Go applications, malware analysts
Keypoints :
- Garble uses techniques like string encryption, function name mangling, and stripping binaries to protect Go applications.
- GoStringUngarbler automatically decrypts garble-obfuscated strings in Go binaries.
- The blog covers various transformation methods including stack, seed, split, and shuffle transformations.
- Each string transformation complicates static analysis by applying unique cryptographic methods.
- The tool is available as an open-source project and simplifies malware detection in Go applications.
MITRE Techniques :
- T1027.003 – Obfuscated Files or Information: The garble compiler obfuscates Go binaries through string transformations making reverse engineering difficult.
- T1040 – Network Sniffing: An indirect result of obfuscation may lead to an increase in proper analysis tools like GoStringUngarbler that aid in reversing obfuscations.
- T1110.001 – Brute Force: The complexity of string transformations may indirectly rely on brute force methods during static analysis.
Indicator of Compromise :
- [Domain] github[.]com/mandiant/gostringungarbler
- [URL] https://github.com/mandiant/gostringungarbler
- [Hash] 18a6c5c7a2226c4e82a6edc4213a5edf (Example of a hypothetical file)
- [Email Address] contact@mandiant.com
- [IP Address] 192.0.2.1 (Example of a hypothetical server)