A new cryptocurrency stealer written in Golang (Go) programming language has been detected as part of a new trend in cybercriminals writing malware in Go.
Last year Sofacy created a new variant of Zebrocy malware that was written in Go to create a functionally similar Trojan to use in spear-phishing emails with a LNK shortcut attachment.
Researchers described the stealer as an unsophisticated malware thats possibly in its early stages of development as its authors are still learning the language and still experimenting with it. In addition the malware looks much different under a debugger than malware compiled in other languages such as C and C++ presenting a new challenge as it seeks new patterns in the malware.
Like most applications written in Go, the malware’s code is bulky and the malware’s compiled binaries are usually big so the observed sample was packed with UPX to minimize its size researchers said.
“We can see that the browser’s cookie database is queried in search data related to online transactions: credit card numbers, expiration dates, as well as personal data such as names and email addresses,” researchers said in the test.
“The paths to all the files being searched are stored as base64 strings. Many of them are related to cryptocurrency wallets, but we can also find references to the Telegram messenger.”
The malware also queries information related to credit card numbers, expiration dates, as well as personal data such as names and email addresses.