It's also nice that they're able to run portably out of one executable with all dependencies linked statically, such a fresh breath of air from the old days of having to spend hours searching for the DLLs to download to make the melissa virus startup correctly
The discovering group (AT&T Alien Labs) wrote a pretty useful blog post "Behind the scenes: JaskaGO’s coordinated strike on macOS and Windows"[0], which goes into interesting detail on how it behaves (fake error message popup, the anti-vm detection, the trivial tasks if it thinks it's in a VM, the malicious tasks it can attempt if prompted by the command & control).
TechRadar summarizes thehackernews which summarizes the blog post.
It's a clipboard reader that watches the system clipboard for crypto payments. It inserts its own address into the clipboard. Does have some other capabilities like running shell commands.
An aside, doesn't seem like it being written in "Go" is relevant.
I know there are other options, but here's the relevance:
"Go, also known as Golang, is recognized for its simplicity, efficiency, and cross-platform capabilities. Its ease of use has made it an attractive choice for malware authors seeking to create versatile and sophisticated threats."
They also mention it's a "growing trend in malware development"
Since Go binaries internally look different than "normal" binaries you see on Windows, it's really easy for the anti-virus systems to write signatures that basically trigger on all Go binaries. It's one of the bigger annoyances with Windows Go development; you often need to exclude your build directories from your virus scanner.
The only real disadvantage it has for malware development is that all else being equal, smaller malware is better than larger malware that does the same thing, and Go binaries are not small. But if you have a case where you don't care about that, all the same features that make it desirable to "real" programmers are useful for malware programmers too.
Just from hearing this, I was about to say "you could say this about Rust as well, so why hasn't Rust also become more popular for writing malware?" But apparently it has.
How relevant is it being cross-platform given that a lot of malware exploits OS specific weaknesses? Although I suppose there's no reason to have a core malware with multiple exploits for multiple OSes.
There's usually cryptography libraries in multiple languages if the exploiter is trying to be really fancy, or as simple as a string prefix search for common blockchain wallet address prefixes if the malware writer wants to be a bit lazier and save some time. So I tend to agree with the other user, this could have been done in just about any language (if not any language) so calling out Go just seems like a pointless finger-pointing at Go.
Does this news in any way affirm the recent decision in OpenBSD development to pin all system calls? I don’t totally comprehend the decision, but I gathered that it affects how Go operates on that OS.
When I worked in cybersecurity we always joked about these kinds of articles, just waiting for one day to see "Quake PAK files found carrying malware!!!1!"
