When Google introduced its Go programming language in 2009, they surely didn’t hope for it to be used for writing malware but, as these things go, it was a only a matter of time until it happened.
Symantec researchers have recently analyzed a piece of malware found in the wild that contains some components written in Go.
The malware is a Trojan dubbed “Encriyoko”, which in this particular instance came disguised as a tool for rooting Android devices.
Once installed and executed on the victims’ PC, the file in question (GalaxyNxRoot.exe) would drop two Go-based executables: an information-stealing Trojan and a downloading component.
The first aims at collecting information about the targeted computer and the processes running on it and sending that information to a remote server, while the second downloads an encrypted DLL file from another remote server.
When this DLL file is decrypted and loaded, it tries to encrypt all source code files, images and audio files, archives, documents and many other files. If it manages to do so, it saves them all into one file (vxsur.bin) in the Temp folder.
“Restoration of the encrypted files will be difficult, if not impossible,” the researchers point out.
I assume they mean that when the user doesn’t have the key to do it – if so, could it be that this Trojan is part of a ransomware attack? Or are the attackers’ intentions simply to wreak havoc?