Shulou(Shulou.com)05/31 Report--

This article is about what kind of tool redress software is. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Overview of 0x01 Go Code

The sample we are going to analyze is an ELF executable file stripped separately from malware, which makes reverse analysis more difficult because we need to do a lot of extra work to restore the symbols in the binary file. Fortunately, however, there are redress tools that can help us. Redress software is a tool specifically used to analyze Go code. It can extract data from the code and then use that data to reconstruct symbols and perform analysis.

The following is the output obtained from our analysis using the tool and the parameter "- src":

From the figure above, we can see that the source code of the malware contains three Go files, all of which are the functional functions implemented by the code and the corresponding lines of code. By comparing some function names, we can see that this malware is likely to be a blackmail software. However, the number of lines of the source code is only about 300 lines, so the blackmail software should not be very complex and is probably still in the initial development stage.

Next, we do dynamic debugging in the debugger. Here I use Radare2 as the debugger, and Radare2 can analyze the Go source code and recover the symbols in the code by analyzing commands, which is why I chose Radare2 as the debugger instead of GDB.

Dynamic Analysis of 0x02 Go Source Code

The command "aaa" in Radare2 can perform an automated analysis task. From the following figure, we can see that Radare2 restores and recognizes the function name and symbol name:

We can see that the function init () executes before the main function, and int () calls the function check (). In check (), malware first obtains information about an infected device by sending an http request to hxxps://ipapi.co/json/. Next, it will filter out Belarus (BY), Russia (RU) and Ukraine (UA) to prevent malware from running on user devices in these three countries.

In the main () function, the Go code is first deleted, and then the function randSeq () is called to generate a random AES key of 0x20 bytes:

Next, it calls the function makesecret (), which is mainly used to encrypt the AES key with the hard-coded RSA public key in the code. In this function, the code calls the function EncryptPKCS1v15 () and uses the RSA encryption algorithm to encrypt the given AES key.

The following is the secret key data encrypted by RSA algorithm:

It then calls the function EncodeToString () to Base64 the previously encrypted data:

Next, it allocates a buffer for the decrypted READEME file:

The encrypted AES key has been written to the decrypted README file in Base64 encoding format.

Before the blackmail software encrypts the file, it uses the "service stop [pname]" or "systemctl stop [pname]" command to terminate the operation of the following processes:

When it attempts to terminate apache2.service, a dialog box titled "Authentication Required" pops up, which requires the user to enter the system password to complete the operation.

Finally, the malware calls the function Walk (root string, walkFn WalkFunc) to traverse the files from the root directory "/" and encrypt the files.

The malware uses the AES-256-CFB algorithm to encrypt the target file, and the encrypted file suffix adds a ".destroy" string. The README file is as follows:

The EncFile () function is mainly responsible for encrypting the file. It first gets the size of the file to be encrypted. If the file size does not exceed 0x986880 (1000000) bytes, it chooses to use the AES-256-CFB algorithm to encrypt all the file data. Otherwise, it will read the first 0x986880 (1000000) bytes of the target file and encrypt it, and then append the remaining data in the source file to the end of the encrypted file data.

0x03 summary

According to our analysis, this malware is actually not complex and is probably still in the early development stage. In the future, we may see more and more malware developed in the GE language, and we will continue to monitor and filter malware developed in the GE language.

Intrusion threat Identifier IoCSHA256: 50470f94e7d65***bf00d7416a9634d9e4141c5109a78f5769e4204906ab5f0bIoC: fullofdeepprotonmail.com Thank you for reading! This is the end of this article on "what is redress software?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.