Reverse Engineering Go Malware: A BianLian Story

Presented at CactusCon 12 (2024), Feb. 16, 2024, 11 a.m. (60 minutes).

BianLian is a ransomware group that has been actively exploiting and extorting organizations across the world. Their toolchain is written in the popular Go programming language. Analyzing Go based malware comes with challenges, especially with regard to import and standard library code identification. The group has suffered significant set backs, including it's private encryption key being reverse engineered and exposed, eliminating an entire part of their business component. BianLian has shifted their tactics, techniques, and procedures wildly as a result. Analyzing the encrypter, command and control implant, and the proxy forwarder, I will show the process of extracting indicators of compromise and identifying information using IDA Pro, Binary Ninja, Ghidra, and a tasteful amount of Python. During the talk I will make fun of bad code, show a fair amount of Intel assembly, and lament the difficulties of malware development.

Presenters:

  • Danny Quist - Reverse Engineer, Technical Co-founder Stealth Mode Startup
    Danny Quist is a Technical Cofounder of Unit 129, Inc., a security startup. Previously, he has worked at Redacted, Bechtel, MIT Lincoln Laboratory, and Los Alamos National Laboratory as a reverse engineer, security researcher, and manager of security engineering. His primary research interests are weird incident response problems, reverse engineering, technical management, and deep sea sea floor manganese nodule mining. Danny holds a Ph.D. in Computer Science from New Mexico Tech. He has previously spoken at Blackhat, Defcon, Recon, RSA, ShmooCon, and CactusCon.

Links:

Similar Presentations: