Cyber security researchers have discovered evidence of a years-old ransomware strain returning after being rewritten in Golang - a cross-platform programming language capable of reaching a higher number of users across different operating systems.
The TellYouThePass ransomware was first discovered in 2019, however researchers at Crowdstrike have now spotted a new strain being used as a second-stage attack following a successful exploit of the Log4Shell vulnerability revealed in December 2021.
The Java and .NET languages were used to create TellYouThePass before it emerged into circulation three years ago, but the pivot to Golang, often referred to as 'Go', has enabled attackers to target users across Windows and Linux with minimal changes to the malware's code.
Once encrypted, victims are greeted with a demand of 0.05 Bitcoin (£31,960) in return for a decryption tool to recover all their files.
The ransom note displayed to victims
When examining code from malware targeting Windows and Linux machines, more than 85% of the code was near identical across the operating systems. This means Golang eliminates much of the leg work typically required to re-write malware for different operating systems, according to the researchers.
This interoperability has resulted in a steady growth in the popularity of Golang among malware authors over the past few years, according to Crowdstrike.
Researchers noted that hackers who have re-written TellYouThePass in Golang have done so using a number of obfuscation techniques to make analysis of its code more difficult for researchers.
The binary of the malware is patched in the new version of TellYouThePass to make it difficult to use string-based signatures to detect that the malware is even written in Golang at all.
Hackers have also taken to randomising the names of the malware's functions, leaving just the main function easily identifiable - another tactic used to impede technical analysis of the ransomware.
Analysis of TellYouThePass shows how function names are randomised
Before initiating the encryption routine, TellYouThePass attempts to kill certain tasks and processes, but on Linux this requires root privilege in order to perform that process. Such tasks include email clients, database applications, web servers, and document editors.
What is Golang?
Golang, or 'Go', is a versatile, cross-platform programming language created by Google in 2007 and is among the most in-demand languages currently in use by the IT community, according to the University of California, Berkeley.
Crowdstrike noted in a November 2021 report that it noticed a steep rise in uptake from the cyber crime community in 2021 with an 80% increase in use between June and August 2021.
The cyber security firm said cryptocurrency miners are the most popular form of malware using Golang with miners accounting for 70% of all Golang-written malware as of August 2021. As evidenced with TellYouThePass, ransomware is also seeing Golang uptake, as well as password-stealing trojans and downloaders, Crowdstrike said.
Among the other strains of ransomware written in Golang, the likes of Babuk and HelloKitty - the ransomware that targeted CD Projekt in 2021 - are the most prominent, according to cyber security firm Morphisec.
"Golang’s versatility has turned it into a one-stop shop for financially motivated eCrime developers," the company said in a blog post. "Instead of rewriting malware for Windows, macOS and Linux, eCriminals can use Golang to cross-compile the same codebase with ease, allowing them to target multiple platforms effortlessly."
RELATED RESOURCE
Despite having the ability to target users on a cross-platform basis, Crowdstrike said the vast majority (91%) of malware written in Golang targets Windows users - due to it market share, 8% is targeting users on macOS and just 1% of malware seeks to infect Linux machines.
Pivoting to Golang is also an attractive proposition given that it performs around 40 times faster than optimised Python code. Golang can run more functions than C++, for example, which makes for a more effective product that can be more difficult to analyse.
"Portability in malware means the expansion of the addressable market, in other words who might become a source of money," said Andy Norton, European cyber risk officer at Armis, speaking to IT Pro. "This isn’t the first time we've seen a shift towards more portable Malware; a few years ago we saw a change towards Java-based remote access trojans away from .exe Windows-centric payloads.
"The ability for security controls to inspect payloads is also another factor threat actors take into account, and drove the prevalence of file-less attacks up in recent years. The scrutiny and patching of Java currently on the back of Log4j vulnerabilities may be reducing Java's attractiveness as a threat vector and driving change in the criminal groups."
-
The unseen risk in Microsoft 365: disaster recoveryBusinesses that assume they’re covered for data backup could come unstuck in a time of crisis
-
Anthropic CEO Dario Amodei's prediction about AI in software development is nowhere nearly to becoming a realityNews In March, Anthropic CEO Dario Amodei claimed up to 90% of code would be written by AI within six months – his prediction hasn't quite come to fruition.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
