Go Injector (Dropper) – Malware

Overview

Go Injector is a sophisticated piece of malware that has emerged as a significant threat in the cybersecurity landscape, demonstrating the increasing sophistication of cybercriminals. Written in the Go programming language, Go Injector is a highly versatile and stealthy tool that is used to deliver and execute additional malicious payloads on compromised systems. It is often used as part of a multi-stage attack, where it acts as the intermediary between an initial infection and the delivery of more harmful malware, such as information stealers and ransomware. Its ability to inject malicious code into legitimate processes makes it particularly dangerous, as it can easily bypass traditional security measures.

The malware is often delivered via phishing campaigns or malicious websites that trick users into executing payloads. Once activated, Go Injector performs a series of complex steps to inject itself into the system’s memory, making it harder for security tools to detect and remove it. One of its notable capabilities is its use of encrypted payloads, which are decrypted and executed in-memory, further increasing the challenge for security professionals to trace and analyze the attack. The modular nature of Go Injector allows it to target specific environments and adapt to different attack scenarios, enhancing its effectiveness in evading detection.

Targets

Individuals

How they operate

The Infection Chain and Initial Execution

The infection chain typically begins when a victim is tricked into visiting a malicious website or downloading an infected file, often through phishing or social engineering tactics. Once the malware is executed on the target system, the Go Injector first collects essential system information, such as the hostname, username, and directories, which helps it determine the most effective way to operate within the compromised environment. This information is sent back to the attacker’s command-and-control (C2) server, where it can be used for further exploitation.

The Memory Injection Process

One of the most critical techniques used by Go Injector is its ability to inject malicious code directly into a system’s memory. Unlike traditional malware, which writes malicious code to disk, Go Injector takes a more evasive approach by operating solely in memory. This significantly reduces the chances of detection by antivirus programs, which typically focus on scanning files stored on disk.

Upon execution, Go Injector allocates memory within the system and begins copying encrypted data into this memory space. The data is stored in the .rdata section of the executable file, which is later extracted and injected into a running process. To achieve this, Go Injector uses Windows API functions such as VirtualAlloc and WriteProcessMemory to allocate memory and write the encrypted payloads into it. After this, the malware manipulates system processes by using CreateProcess to spawn a legitimate-looking process, such as BitLockerToGo.exe, in a suspended mode. The WriteProcessMemory function is then used to inject the decrypted malicious code into the memory of this process, allowing it to run as if it were part of the legitimate process. This method of injection is known as process hollowing.

Payload Decryption and Execution

Once the malicious code is injected into the target process, Go Injector proceeds to decrypt the payload. The payload is typically encrypted using AES GCM encryption, and Go Injector allocates additional memory to decrypt and execute the payload in-memory. The decryption process ensures that the payload remains undetectable by signature-based antivirus solutions until it is executed in memory. After decryption, the payload—often an information-stealing module like Lumma Stealer—is ready to perform its intended malicious actions.

Lumma Stealer, for instance, targets sensitive information such as login credentials, cryptocurrency wallet data, and two-factor authentication (2FA) tokens. Once the payload is fully loaded into memory, it begins exfiltrating the stolen data to the attacker’s C2 server, often using encrypted communication channels to avoid detection by network monitoring tools.

Evasion and Persistence

Go Injector is designed to be highly evasive, making it difficult to detect and remove. Since it operates primarily in memory and avoids writing malicious code to disk, traditional file-based security solutions are less effective against it. Additionally, Go Injector can use a variety of techniques to avoid detection, such as injecting into processes with high legitimacy or using common, non-malicious process names to blend in with the system’s regular activity. This makes it harder for system administrators to identify the presence of malicious code.

The malware also exhibits persistence, ensuring that even if one payload is detected and removed, the attacker can deploy another one. This is achieved by downloading and executing multiple payloads from remote servers, such as smart1.zip, which contains additional files that can be executed to further infect the system.

Conclusion

Go Injector represents a new wave of sophisticated malware that combines advanced memory injection techniques with modular payload delivery. Its ability to operate entirely in memory and bypass traditional security measures makes it a formidable threat in the world of cybersecurity. As cybercriminals continue to refine their tactics, tools like Go Injector will likely become more common, necessitating the adoption of more advanced and proactive security measures. Detection techniques focusing on behavioral analysis, memory scanning, and anomaly detection will be crucial in identifying and mitigating the risks associated with Go Injector and similar threats.

References

• Go Injector Leading to Stealers