Cyber Security

A New Golang Risk Makes Its Look

Decaf Golang Ransomware

Key Factors

  • The Go language is turning into more and more widespread amongst menace actors, with assaults beginning to seem in 2019
  • Morphisec Labs has tracked a brand new Golang-based (1.17) ransomware variant that appeared beginning in late September and continued improvement by way of October 
  • Morphisec recommends organizations replace their breach prevention methods to incorporate the danger of Golang-based ransomware 


Ransomware written within the Go language is rapidly rising in popularity amongst menace actors. These embody Babuk, Hive, and HelloKitty, in addition to many different threats written in Golang. “Go” is a statically typed, object-oriented, cross-platform programming language launched by Google. The abstraction and the help for a number of platforms is a bonus for a lot of builders and likewise a drawback for safety distributors who try to create signatures for malicious executable malware, which comes with all of the dependent libraries built-in.

Morphisec Labs has recognized a brand new pressure of ransomware, applied in Go 1.17 and named DECAF. The primary model, which incorporates symbols and check assertion, was recognized in late September. The attackers in a short time stripped the unique alpha model, added further performance, and uploaded this stub model to confirm its detection rating. Inside per week that they had deployed a totally weaponized model on a buyer website.

Golang 1.17 introduces further complexity to research the applying movement as a consequence of a modification in how parameters are being handed to features, this can be a nice instance of how the attackers have gotten extraordinarily agile in using the newest know-how.

The weblog put up that follows will cowl in nice element the totally different debug and pre-release variations of the brand new ransomware pressure, in addition to how the menace actor efficiently encrypts their goal. 

Technical Introduction 

As has been described within the introduction, we’ve recognized the supply of the DECAF ransomware on one in every of our buyer’s websites. It is just following an in depth investigation that we efficiently discovered a path that leads us to a debug model of the ransomware, which additionally included symbols. Within the first technical half, we’ll go into nice element concerning the performance of this debug model step-by-step. Within the second a part of the weblog, we’ll determine the updates launched to the pre-release model. We’re conscious of extra up to date variations which have been deployed over the past two weeks.

Technical Evaluation

Attack Chain: DECAF Ransomware

Determine 1: The assault chain of the Golang ransomware


The initialization part units up the info required for the ransomware’s malicious exercise.

The malware begins by parsing a command-line argument, –path, which represents the basis listing the place the ransomware will begin recursively encrypting information.


Determine 2: Parsing –path parameter

Subsequent, the malware creates an Encryptor object construction:

  • Encrypted file prefix – every encrypted file header begins with particular “magic” prefix, 0xDADFEEDBABEDECAF 
  • DECAF file extension – .decaf 
  • File extension size 
  • Attacker’s Public key – initialize and parse the embedded PKCS1 public key (see IOCs part)


Determine 3: Initializing the encrypter with related information

Many ransomwares implement file filtering mechanisms for a number of functions. Controls to keep away from double encrypting the identical file and avoiding the wrecking of the sufferer’s working system for fee.

DECAF isn’t any totally different and likewise makes use of a information filtering mechanism. It ignores: 

  1. .decaf extension information
  2. README.txt information 
  3. Embedded blacklists of information, folders, and extensions

For that process, the attacker created a FileUtils class which has a pointer to README.txt string (the title of the ransomware notification file) and the related features. One of many features inside FileUtils is Init(). This operate is chargeable for constructing blacklists for information, folders, and file extensions (the listing’s content material might be discovered within the Appendix part).

DECAF Ransomware Building files filters and optional pathsDetermine 4: Constructing information filters and optionally available paths

The subsequent step is determining which directories the malware ought to encrypt. It checks if –path has worth and if not calls to FileUtils.ListDriverRootPaths()as proven within the determine above. 

Trying inside ListDriverRootPaths, we are able to see that the malware iterates over the potential drives and searches for drives with a kind that’s NOT a  DRIVE_CDROM.

DECAF Drive bitmask iterationDetermine 5: Drive bitmask iteration

DECAF Adding drives excluding DRIVE_CDROM type to the slice

Determine 6: Including drives excluding DRIVE_CDROM sort to the slice

The very last thing that the malware does on this part is to create a WMI object for future use. We’ll go over its performance after we present the mechanism used to delete information. 

Let’s Encrypt Some Information 

The encryption part begins by including the attacker’s e-mail into the ransom be aware.

DECAF: Creating the formatted ransom note string

Determine 7: Creating the formatted ransom be aware string

As you might know, one of many largest challenges ransomware authors face when growing ransomware is encryption efficiency. The malware must encrypt as many information as potential, as quick as potential.

The writer of DECAF selected the multi-goroutine (Go’s thread “equal”) technique. It creates a number of encryption goroutines which look forward to messages from the primary routine. The message incorporates the file path that it has to encrypt.

Creating communication channel and 4 Go Routines

Determine 8: Making a communication channel and 4 Go Routines

Every EncWorker waits to obtain a brand new file path to encrypt from the channel. The file paths come from the operate FileUtils.ListFilesToEnc, which enumerates the information of the given listing and applies filtering in response to the blacklists, README.txt, and .decaf extension. 

Determine 9: The primary goroutine sends file paths after filtering and skipping symlinks

Determine 10: test arg_file_path for symlink

Encryption Employee

main_EncWorker_func1 is the operate chargeable for the encryption process. It listens for brand new file paths, calls the file encryption operate, deletes the unique file after it’s encrypted, and creates a README.txt file inside every listing.

DECAF main_EncWorker_func1 functionality

Determine 11: main_EncWorker_func1 performance

As soon as the file path has been acquired, the operate calls Encryptor.E for encrypting the file. 

The encryption routine is as follows: 

  • Checks if the file dimension is smaller than 4GB 

DECAF File Size CheckDetermine 12: File dimension test

  • Units up the cryptographic algorithms
    • DECAF makes use of AES-CBC-128  with a randomly generated encryption key and preliminary vector
    • Every file is encrypted with a unique symmetric encryption key
    • The file’s encryption key’s encrypted utilizing the attacker’s public key

image20Determine 13: Encryption key and IV

ciphertext, err := EncryptOAEP(sha256.New(), aes_key, public_key, G_Reader, 0x10

The subsequent factor is to open the supply (unique file) and goal (encrypted file) information. The malware opens the unique file with OF_READWRITE permission and creates a brand new goal file with .decaf extension.

DECAF Open original and target files

Determine 14: Open unique and goal information

The attacker wants to have the ability to decrypt all information in case somebody pays the demanded ransom to take care of its credibility. To try this, the attacker creates a particular header for every file that incorporates the related information for decryption. 

Encrypted file format: 

FilePrefix // Encrypted information identifier
FileSize // Reconstrcut the actual file dimension after it has encrypted  

CBC_IV // Shared between encryption and decryption
EncryptedKey // Required for decrypting the enc_key utilizing the attacker’s non-public key

<code: go>

DECAF Encrypted file format

Determine 15: Encrypted file format

The file content material is split into chunks, the place every chunk is 0x10 bytes. We wrote easy pseudocode which represents the content material encryption’s logic: 

  1. Learn 0x10 bytes from the unique file 
  2. If it’s EOF, finish. 
  3. If lower than 0x10 bytes learn, add random padding and create 0x10 bytes block 
  4. Encrypt the info
  5. Write the encrypted information to the goal file

func EncryptFileContent() 
// …
// Extra initialization defined above

symmetricKey := rand.Reader.Learn(0x10)
initialVector := rand.Reader.Learn(0x10)

hFile := os.OpenFile(“<file_path>”, O_RDWR, 0)
hTargetFile := os.OpenFile(“<file_path>.decaf”, o_RDWR | O_CREATE |  O_TRUNC, 0x1B6)
fileReader := bufio.NewReader(hFile)
fileWriter := bufio.NewWriter(hFile)

plaintext := make([]byte, 0x10)
ciphertext := make([]byte, 0x10)

// Learn till there’s nothing to learn
_, err := io.ReadAtLeast(fileReader, plaintext, 0x10)
whereas err != io.EOF {
if err == io.ErrUnexpectedEOF {
// Add random padding
padLen := aes.BlockSize – len(inBytes)%aes.BlockSize  

                  padding := make([]byte, padLen)
_, err = rand.Reader.Learn(padding)

padding[0] = byte(padLen)
plaintext = append(padding, plaintext…)
plaintextLen := len(plaintext)
block, err := aes.NewCipher(symmetricKey)
cfb := cipher.NewCBCEncrypter(block, initialVector)
cfb.CryptBlocks(ciphertext[aes.BlockSize:], plaintext)  

We will assume that the writer selected to divide the info into such small chunks as a technique to evade detection by Anti-Ransomware options that monitor for big information chunk encryptions.

Authentic File Wiping

As soon as the ransomware has created the encrypted file it must delete the unique file and get rid of the goal’s skill to get better the file. 

First, the malware deletes the file utilizing the WMI object created within the initialization part. We’ve reconstructed the malware’s WMI utilization within the following pseudocode: 

  1. The malware connects to the native WMI’s ROOTCIMV2 namespace for executing instructions 
  2. As soon as the file is encrypted, the malware queries for the CIM_DataFile object in response to the file’s path 
  3. It counts the outcomes and iterates over the objects 
  4. For every merchandise, it invokes the Delete operate

func DeleteFileUsingWMI() {

unknown, _ := oleutil.CreateObject(“WbemScripting.SWbemLocator”)  

wmi, _ := unknown.QueryInterface(ole.IID_IDispatch)

serviceRaw, _ := oleutil.CallMethod(wmi, “ConnectServer”)  

service := serviceRaw.ToIDispatch()

// …
// File encryption
// … 

// result’s a SWBemObjectSet
resultRaw, _ := oleutil.CallMethod(service, “ExecQuery”,   “SELECT * FROM CIM_DataFile the place  title=”<file_path>“”)
outcome := resultRaw.ToIDispatch()
countVar, _ := oleutil.GetProperty(outcome, “Rely”)
rely := int(countVar.Val)
for i :=0; i < rely; i++ {
// Every merchandise is CIM_DataFile object   

itemRaw, _ := oleutil.CallMethod(outcome, “ItemIndex”, i)  

merchandise :=  itemRaw.ToIDispatch()
oleutil.CallMethod(merchandise, “Delete”)

Now the very last thing left is to take away the restoration skill on the contaminated system. For that, DECAF makes use of cipher.exe, equally to different ransomware (e.g., LockerGoga and MegaCortex). 

DECAF iterates over the directories it must encrypt and calls cipher.exe with a /w:<directory_path>. This selection overwrites (“wipes”) deleted information and, in consequence, eliminates the flexibility to get better the file.

DECAF Wiping delete data inside the directory

Determine 16: Wiping delete information contained in the listing

Debug VS Pre-Launch

The distinction between the 2 variations of the identical ransomware is that the pre-release variant is stripped of symbols, strings and performance names are obfuscated.

We assumed that the second model is a Pre-Launched model as a result of Protonmail used within the ransom be aware, which is crammed with a placeholder as a substitute of an actual e-mail handle.


Determine 17: E mail handle within the ransom be aware of the Pre-Launch model

Time for comparability

Go Model

Let’s check out the code from runtime.schedinit that incorporates the variable buildVersion. This variable factors to the Golang model that has been used, not less than within the case that the symbols are current and never stripped.

DECAF Go version comparisonDetermine 18: Go model comparability

It’s price mentioning that Go 1.17 implements a brand new approach of passing operate arguments and outcomes utilizing registers as a substitute of the stack. Due to this, reverse engineering Golang might turn into messy for newcomers.

Public key

DECAF Public key comparisonDetermine 19: Public key comparability

Strings Obfuscation

The ransomware makes use of string obfuscation in its Pre-Launch model. Strings are being de-obfuscated on runtime whereas using totally different customized de-obfuscation features. 

For instance, the initialization of the `Encryptor` object’s decaf extension attribute:

DECAF: .decaf extension deobfuscation

Determine 20: .decaf extension deobfuscation

One other instance could possibly be seen whereas deleting the unique file. The WMI question used within the Debug model was embedded into the binary whereas within the Pre-Launch model it was saved encrypted. Earlier than calling the delete operate, the malware executes the decryption operate and divulges the actual WMI question, as we noticed within the Debug model.

DECAF WMI query resolving

Determine 21: WMI question resolving


The event of DECAF continues to at the present time, displaying that ransomware teams always innovate their assaults. That the assault is written in Golang is additional proof of this pattern towards innovation among the many adversary neighborhood; menace actors are eternally making modifications and including new capabilities to evade the detection-centric options that predominate available in the market. 

Corporations have to undertake prevention-first methods, akin to those Morphisec supplies, to make sure that they stand an opportunity at defending their crucial methods from additional assaults. Morphisec Labs will proceed to trace the event of the DECAF ransomware and report any additional developments that we uncover. 


Debug Model Public Key

MIIBCgKCAQEAv+D8WLstRCGExBNfcsd8iYvvBajk1wxLbHgteWQCtXWqr7VDaBD8 SEVez9LQVDvUNdHmRK+8n/JtkJ2vuPwBfb8IxZJ7sXsk/Zt1eoE7tZYUtKTZwazl 1zNbTR8Ocftkj3LW57atj+nTEUues7RkauWkXAlJckGXON4LXTI63QFleOmF0+C+ xoRkw3MibdQhePLZFm9eczZAmYqU875iBAQ5krsmvG10FU+2VVKmwAXfD9EUiuQ0
ZQPwayA0ubYuMmayj6SE7OlQzYuPQJzj6vYjMOnalCoe3yEu6Km35moYDcBN9p9f v36lPX2Mlq20tYiuGKcGSMeT7y/fmO9joQIDAQAB

Pre-Launch Model Public Key















Information blacklist


Directories blacklist

program information (x86)
program information
$home windows.~ws
tor browser
system quantity info
software information
home windows
home windows.previous

Extensions blacklist

.themepack .shs             .prf
.ldf       .drv             .dll
.scr       .wpx             .nomedia
.icl       .deskthemepack   .idx
.386       .bat             .tmp
.cmd       .rom             .pdb
.ani       .msc             .lib
.adv       .lnk             .class
.theme     .cab
.msi       .spl
.rtp      .ps1
.diagcfg  .msu
.msstyles .ics
.bin      .key
.hlp      .msp

Source link