Go Get ‘Em: Updates to Volexity Golang Tooling
Volexity has released updates to its Golang reverse engineering tooling to address the growing trend of Go-based malware and obfuscation techniques like Garble. The release introduces GoStringExtractor, a plugin for IDA Pro and Ghidra that organizes unterminated Go string tables, and updates GoResolver to recover runtime type information (RTTI), significantly enhancing static analysis capabilities.
Authors: Ivan Mladenov
Source:Volexity
Detection / HunterGoogle
What Happened
Volexity has released new and updated tools to help cybersecurity researchers analyze software written in the Go programming language. Because malicious hackers frequently use Go and intentionally scramble their code to hide its purpose, analyzing these files can be highly difficult. The new tools, GoStringExtractor and an updated GoResolver, automatically organize hidden text and structural data within the code. Security analysts and reverse engineers should consider integrating these tools into their workflows to more quickly understand what a suspicious program does and how to defend against it.
Key Takeaways
- Volexity released GoStringExtractor, a new plugin for IDA Pro and Ghidra that helps extract, organize, and analyze string data in Golang binaries.
- GoResolver has been updated with a new '-y' flag to parse runtime type information (RTTI), significantly improving disassembly output and structural understanding of Go binaries.
- These tools are specifically designed to reduce analyst workload when dealing with compiled Go binaries, including those obfuscated by tools like Garble.
- Helper tools GoStrap and GitToolFetcher have been parallelized to improve performance during the analysis workflow.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules are provided; the article focuses exclusively on reverse engineering and static analysis tooling.
Detection Engineering Assessment
EDR Visibility: N/A — The article discusses static analysis tools for reverse engineering, not behavioral execution that would be captured by EDR. Network Visibility: N/A — The article focuses on binary analysis, not network traffic or C2 communication. Detection Difficulty: N/A — No specific threat or campaign is profiled for detection.
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unknown or suspicious Golang binaries executing in the environment, particularly those exhibiting signs of obfuscation such as stripped symbols or packed sections, which may indicate the use of tools like Garble. | File metadata, EDR process execution logs | Execution | High, as legitimate applications are frequently compiled with Go and may have stripped symbols by default. |
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider integrating Volexity's GoStringExtractor and GoResolver into your reverse engineering and malware analysis environments to improve analysis of compiled Golang threats.
Infrastructure Hardening
- N/A
User Protection
- N/A
Security Awareness
- N/A
MITRE ATT&CK Mapping
- T1027 - Obfuscated Files or Information