According to Symantec, a new threat with components that are written in Go has been recently seen in the wild. Trojan.Encriyoko attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable. “Restoration of the encrypted files will be difficult, if not impossible,” warned researcher Flora Liu, in her blog.
Symantec acquired a sample of the new threat, a file named GalaxyNxRoot.exe that is meant to masquerade as a program for rooting Samsung Galaxy smartphones and tablets – the process that liberates Android devices from Google OS controls. It’s a popular practice for those looking to customize the user interface or add third-party apps not approved by Google Play.
But Symantec found that the file is actually a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it. Once executed, the GalaxyNxRoot.exe file drops and launches two executable files, this time both written in Go: (%Temp%PPSAP.exe and Temp%adbtool.exe).
The dropped PPSAP.exe file is an information-stealing Trojan. It collects system information such as current running processes, user name, MAC address, etc., and posts it to a remote location (http://]golang.iwebs.ws/about/step1.php). Meanwhile the dropped adbtool.exe file downloads an encrypted file from a different remote location: http://]sourceslang.iwebs.ws/downs/zdx.tgz.
This file is decrypted as a Dynamic-link library (DLL) file and then loaded. It then attempts to encrypt various file formats using the Blowfish algorithm on the compromised computer, for everything from documents to pictures to system files.
The file paths are confirmed by the Trojan in order to avoid encrypting files under certain paths, such as %Windir%, %ProgramFiles%, %UserProfile%\Local Settings, and others.
Designed in 2007 and introduced in late 2009, the Go programming language developed by Google has been struggling to gain momentum the past three years. Possibly due to its lack of a mainstream profile, it’s attractive to malware programmers because it would be under the radar for security researchers.