New malware written in the Go programming language has spiked by 2000% over the past four years, as nation state and cybercrime threat actors switch from older ecosystems, according to a new report.
Israeli security firm Intezer made the claims in a new report late last week, Year of the Gopher: 2020 Go Malware Round-Up.
It revealed that although the language, sometimes referred to as Golang, was first used for malware around nine years back, it took until 2019 for it to become popular among cyber-criminals.
However, since then it has emerged as an increasingly common choice, primarily as it works across Windows, Linux and Mac operating systems and is relatively challenging for researchers to reverse engineer.
Intezer also praised its “very well-written networking stack that is easy to work with.”
In a blog, the vendor explained that Go was used by Russian state-backed actors to target Eastern European countries with a variant of the Zebrocy malware last year. Kremlin hackers have also used the language to develop the WellMess malware which targeted COVID-19 vaccine researchers in the UK, Canada and US.
Chinese state attackers used Go malware in loaders and recent attacks against Tibetans, Intezer claimed.
On the cybercrime front, the vendor pointed to botnets (IPStorm) used to launch DDoS and mine illegally for cryptocurrency, as well as ransomware variants (Nefilim, EKANS) all written in Go.
Specialized runtime protection tools will be needed to tackle the growing threat from Go malware, Intezer concluded.
“We have seen threat actors targeting multiple operating systems with malware from the same Go codebase. Traditional anti-virus programs have had a hard time identifying Go malware due to many factors,” it continued.
“A detection method based on code reuse has shown to be effective, especially when it comes to detecting when malware families are targeting new platforms. It’s also likely that attacks from Go malware against cloud environments will increase as more valuable assets are moved to the cloud.”