Golang, an open-source programming language created by Google in 2009, continues to be a go-to language for malware authors. Although the language is about 10 years old, the malware development community has been making use of it in recent times and the rate of use has been steadily on the rise.
Why Golang?
Infiltration into systems without being detected is the primary goal of most malware and Golang seems to assist attackers with this feature.
The multi-variate language enables a single codebase to be compiled into all major operating systems such as Linux, Windows, and Mac.
Also, because malware written in Golang is large in size, this lets threat actors go undetected as certain antivirus software cannot scan files that big.
The language also has a rich library ecosystem that makes the process of creating quite smooth.
How widespread is the use in recent times?
Linux malware authors used the Ezuri crypter written in Golang to evade antivirus detection as part of their infiltration process into Windows and Linux environments. For the attackers, Ezuri worked both as a crypter and loader for ELF binaries.
In early 2021, a new Golang-based RAT dubbed ElectroRAT was discovered targeting a variety of OS platforms with an aim to steal cryptocurrencies. The malware was distributed via fake domains, fake social media accounts, and trojanzied applications.
The last week of December 2020 witnessed a new worm written in Golang aiming at Windows and Linux servers to run XMRig miner that mines Monero cryptocurrency.
Similarly, in the early week of December 2020, researchers uncovered a new Golang variant of PlugX malware used by the TA416 threat actor group in an attack campaign against entities in the Vatican and Myanmar.
Bottom line
Just like any other malware, Golang-based malware is growing by leaps and bounds with several enhanced capabilities added to its arsenal. In coming years, these types of malware variants are feared to fuel more cybercrimes as attackers continue to expand their malicious motives.