The Latest in IT Security

Malware Uses Google Go Language


Designed in 2007 and introduced in late 2009, the Go programming language developed by Google has been gaining momentum the past three years. It is now being used to develop malware. Recently seen in the wild, Trojan.Encriyoko is a new threat associated with components which are written in Go. The Trojan attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable.

The original sample we acquired, a file named GalaxyNxRoot.exe, is actually a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it.

Figure 1. GalaxyNxRoot.exe properties

Once executed, the GalaxyNxRoot.exe file drops and launches two executable files, both written in Go:

  • %Temp%PPSAP.exe
  • %Temp%adbtool.exe

The dropped PPSAP.exe file is an information-stealing Trojan. It collects system information such as current running processes, user name, MAC address, etc., and posts it to the following remote location:

The dropped adbtool.exe file downloads an encrypted file from the following remote location:

This file is decrypted as a Dynamic-link library (DLL) file and then loaded. It attempts to encrypt various file formats on the compromised computer. The targeted file formats include:

  • Source code files (.c, .cpp, .cs, .php, .java, .pas, .vb, .frm, .bas, .go, .asp, .aspx, .jsp, .pl, .py, .rb)
  • Image files (.jpg, .png, .psd)
  • Audio files (.wav, .wma, .amr, .awb)
  • Archive files (.rar, .zip, .iso, .gz, .7z)
  • Document files (file extensions containing the following strings:  doc, xls, ppt, mdb, pdf)
  • Other types of files (file extensions containing the following strings: dw, dx, sh, pic, 111, win, wvw, drw, grp, rpl, mce, mcg, pag)

Figure 2. Targeted file formats

The file paths are confirmed by the Trojan in order to avoid encrypting files under certain paths, such as %Windir%, %ProgramFiles%, %UserProfile%\Local Settings, and others.

The encryption uses the Blowfish algorithm. It either reads the encryption key from D:\nepia.dud or randomly generates one. The names of all of the encrypted files are then saved to the following location:

Restoration of the encrypted files will be difficult, if not impossible.

Symantec detects all these files: GalaxyNxRoot.exe as Trojan.Dropper, PPSAP.exe as Infostealer, adbtool.exe as Downloader, and zdx.dll as Trojan.Encriyoko.

Leave a reply


MONDAY, JULY 15, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments