The past two years have seen the rise of Golang-based malware from its beginnings as a way to win at CCDC and red team engagements to its current use by actual threat actors. This talk will break down why Golang is so useful for malware with a detailed tour through the available components used for exploitation, EDR and NIDS evasion, and post-exploitation, by one of the main authors of the core components. Although focused on the offensive perspective, there will be valuable insights into the challenges in detecting Golang malware. Interested in learning Golang? Interested in writing or detecting malware? This is your invitation into the weird and wonderful world of Golang malware.
REFERENCES:
List of Golang Security Tools:
https://github.com/Binject/awesome-go-security
C-Sto:
https://github.com/c-sto/goWMIExec
https://github.com/C-Sto/BananaPhone
https://github.com/C-Sto/gosecretsdump
capnspacehook:
https://github.com/capnspacehook/pandorasbox
https://github.com/capnspacehook/taskmaster
Vyrus / gscript crew:
https://github.com/gen0cide/gscript
https://github.com/vyrus001/go-mimikatz
https://github.com/vyrus001/msflib
secretsquirrel / Josh Pitts:
https://github.com/secretsquirrel/the-backdoor-factory
https://github.com/Genetic-Malware/Ebowla
https://github.com/secretsquirrel/SigThief
https://github.com/golang/go/issues/16292
malwareunicorn on OSX loading:
https://malwareunicorn.org/workshops/macos_dylib_injection.html
Misc:
https://github.com/sassoftware/relic
https://github.com/EgeBalci/sgn
https://github.com/moonD4rk/HackBrowserData
https://github.com/emperorcow/go-netscan
https://github.com/CUCyber/ja3transport
https://github.com/swarley7/padoracle
Command and Control:
https://github.com/BishopFox/sliver
https://github.com/DeimosC2/DeimosC2
https://github.com/t94j0/satellite
Obfuscation/RE:
https://github.com/unixpickle/gobfuscate
https://github.com/mvdan/garble
https://github.com/goretk/redress
Of interest for defense, but breaks Docker & Terraform:
https://github.com/unsecureio/gokiller |
