1. InfoconDB
  2. DEF CON
  3. DEF CON 29 (2021)
  4. Offensive Golang Bonanza: Writing Golang Malware

Offensive Golang Bonanza: Writing Golang Malware

Presented at DEF CON 29 (2021), Aug. 7, 2021, 6 p.m. (45 minutes)

The past two years have seen the rise of Golang-based malware from its beginnings as a way to win at CCDC and red team engagements to its current use by actual threat actors. This talk will break down why Golang is so useful for malware with a detailed tour through the available components used for exploitation, EDR and NIDS evasion, and post-exploitation, by one of the main authors of the core components. Although focused on the offensive perspective, there will be valuable insights into the challenges in detecting Golang malware. Interested in learning Golang? Interested in writing or detecting malware? This is your invitation into the weird and wonderful world of Golang malware. REFERENCES: List of Golang Security Tools: https://github.com/Binject/awesome-go-security C-Sto: https://github.com/c-sto/goWMIExec https://github.com/C-Sto/BananaPhone https://github.com/C-Sto/gosecretsdump capnspacehook: https://github.com/capnspacehook/pandorasbox https://github.com/capnspacehook/taskmaster Vyrus / gscript crew: https://github.com/gen0cide/gscript https://github.com/vyrus001/go-mimikatz https://github.com/vyrus001/msflib secretsquirrel / Josh Pitts: https://github.com/secretsquirrel/the-backdoor-factory https://github.com/Genetic-Malware/Ebowla https://github.com/secretsquirrel/SigThief https://github.com/golang/go/issues/16292 malwareunicorn on OSX loading: https://malwareunicorn.org/workshops/macos_dylib_injection.html Misc: https://github.com/sassoftware/relic https://github.com/EgeBalci/sgn https://github.com/moonD4rk/HackBrowserData https://github.com/emperorcow/go-netscan https://github.com/CUCyber/ja3transport https://github.com/swarley7/padoracle Command and Control: https://github.com/BishopFox/sliver https://github.com/DeimosC2/DeimosC2 https://github.com/t94j0/satellite Obfuscation/RE: https://github.com/unixpickle/gobfuscate https://github.com/mvdan/garble https://github.com/goretk/redress Of interest for defense, but breaks Docker & Terraform: https://github.com/unsecureio/gokiller

Presenters:

  • Ben Kurtz - Principal Anarchist, SymbolCrash Founder of Binject, Host of the Hack the Planet podcast
    Ben Kurtz is a hacker, a hardware enthusiast, and the host of the Hack the Planet podcast (https://symbolcrash.com/podcast). After his first talk, at DefCon 13, he ditched development and started a long career in security. He has been a pentester for IOActive, head of security for an MMO company, and on the internal pentest team for the Xbox One at Microsoft. Along the way, he volunteered on anti-censorship projects, which resulted in his conversion to Golang and the development of the ratnet project (https://github.com/awgh/ratnet). A few years ago, he co-founded the Binject group to develop core offensive components for Golang-based malware, and Symbol Crash, which focuses on sharing hacker knowledge through trainings for red teams, a free monthly Hardware Hacking workshop in Seattle, and podcasts. He is currently developing a ratnet-based handheld device for mobile encrypted mesh messenging, planned for release next year. @symbolcrash1 symbolcrash.com

Links:

Similar Presentations: