Welcome to the VB2021 conference!

Reversing Go binaries with Ghidra

Dorka Palotay (CUJO AI) & Albert Zsigovits (CUJO AI)
live only
19:30 UTC on Day 1
Golang is Google’s open-source programming language, which in recent years has gained attention among developers. It is not only used for good purposes but, in a developing trend, malicious intent is often observed in Golang code.

The fact that Golang supports cross-compiling makes it a tempting option for IoT malware attacks. This has resulted in a proliferation of IoT malware written in Go. For this reason, we decided to dive deeper and develop our own toolset to become more effective at combating Go malware.

When it came to dissecting Go malware, reverse engineers found themselves faced with a hurdle. Go presents new challenges that make the binary analysis more difficult. Go binaries are usually statically linked, requiring analysts to do a lot of manual work in figuring out which function is a system library. In order to aid and automate this process, we have created custom scripts for Ghidra.

When compiling a Go binary, debug information such as strings, variable and function names and method names are usually saved inside the binaries. If these properties are absent, reverse engineering becomes harder: malware developers know this. That is why they have started to abuse open-source projects like gobfuscate, which obfuscates all debug information in the source code and compiles the binary without it.

Threat actors have recently started to distribute Linux malware encrypted with a new crypter called Ezuri. Ezuri is a crypter and a memory loader, which is misused as a wrapper for malicious binaries in order to evade detection by anti-virus vendors.

The talk will consist of:

  • Introduction to IoT malware families written in Go.

  • Discussion of the unique features and hurdles of Go binaries.

  • Tackling common problems when reverse engineering Go malware.

  • Sharing our Ghidra scripts that we use during reverse engineering.

  • Investigating the recent developments around Golang obfuscation and Linux crypters

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speakers later, contact Albert Zsigovits on GitHub at albertzsigovits, or contact the speakers on Twitter at @albertzsigovits and @padorka.
Dorka Palotay

Dorka has a Bachelor’s degree in applied mathematics. She continued her studies in the field of security and privacy, where she gained her Master’s degree in computer science specialising in advanced cryptography. She started her career at Sophos, mainly focusing on ransomware analysis, but as a member of the Emerging Threats team she had the opportunity to gain experience in reverse engineering a wide range of malware attacks. Before joining CUJO AI she was working in the financial industry as an IT security analyst, focusing on threat hunting and forensics investigations. Currently she is working at CUJO AI as a senior threat researcher focusing on reverse engineering IoT malware. She is also a guest lecturer at ELTE Informatics faculty, where she teaches malware analysis to IT security students.

Albert Zsigovits

Albert works as an IoT malware researcher at CUJO AI. He started out as a traditional blue teamer early in his career, analysing security events as an IDS analyst, and later investigating breaches as a senior incident responder for a Fortune 50 company. Later, he joined a respected anti-virus company to deepen his knowledge of reverse engineering. His specialities include malware analysis, memory forensics and signature development. Albert is a former speaker at SEC-T, DisobeyFi and BSidesVienna.