How Do We Fight Against Evolving Go Language Malware? : Practical Techniques to Improve Analytical Skills (進化するGo言語製マルウェアとどう戦うか？: 解析能力向上に向けての実践的テクニック)

I gave a presentation at JSAC on the analysis of Go malware. Here is the script we presented at that time.

Content

Ghidra script to deobfuscate strings of Go malware with gobfuscate

degobfuscate.py

This Ghidra script deobfuscates strings of Go malware with gobfuscate like ChaChi and Blackrota. The script is provided as a part of GolangAnalyzerExtension plugin, so it can be run from Ghidra's Script Manager once this plugin is installed. Please note that it will not work without this plugin.

Below is a the result of deobfuscating malware ChaChi with degobfuscate.py.
SHA256: 8a9205709c6a1e5923c66b63addc1f833461df2c7e26d9176993f14de2a39d5b

Radare2 script to resolve function names in Go binary supporting Go 1.18

gohelper_go118.py

gohelper_go118.py is a script that makes gohelper.py, which does not support Go 1.16 or later, compatible with Go 1.18. However, this script does not support versions prior to Go 1.18. The commit is here.

Below are the results of resolving function names of malware Chaos with gohelper_go118.py using afl and pdf commands.
SHA256: ebe0f9855eb8f6bd980ed60c26e3a877dc1ace5d664e248bb0558996fe0bd06f