Keypoints
- Sample is a Golang 64-bit executable with a WinAuth certificate and a tampered timestamp (Dec 31, 1969).
- Binary contains an anomalous .symtab section (ELF/Linux artifact); analyst had to reconstruct the gopcln table to reveal functions and strings.
- Strings and functions indicate collection of system UUID, remote IP, username, hostname, Windows version, PID, process name, and architecture for exfiltration.
- Uses public GitHub Go packages (kbinani, fogleman) to capture and save screenshots; monitors input/events with SetWindowsHookExW and TrackMouseEvent.
- Performs process injection via VirtualAlloc and runs WMIC commands (e.g., âSELECT UUID FROM Win32_ComputerSystemProductâ) and queries registry keys for Windows/version/hostname discovery.
- Contacts ip-api.com/json for IP discovery and posts data to C2 at https://daily-mashriq[.]org/goyxdrkhjilchyigflztv using chacha20 encryption and a custom User-Agent; subsequent posts send only a UID every 7 seconds.
- Installs a new root certificate by overwriting a HKLM SystemCertificates ROOT registry key (using CertGetCertificateChain) to enable HTTPS communications evasion; binds several listening port ranges.
MITRE Techniques
- [T1059] Command and Scripting Interpreter â The malware uses process injection via VirtualAlloc and runs WMIC commands to gather system information (âprocess injection via VirtualAlloc and running WMICâ).
- [T1553] Subvert Trust Controls â The trojan installs/overwrites a root certificate in the Windows registry to intercept or trust malicious HTTPS communications (âinstalls a new root certificate by overriding data in the following registry key using âCertGetCertificateChainââ).
- [T1547.001] Registry Run Keys / Startup Folder â The sample establishes persistence via registry autorun entries (article notes autorun registry behavior under persistence section).
- [T1036] Masquerading â The malware renames or uses legitimate-sounding binaries and screensaver filenames to disguise components (âmasquerades by renaming legitimate programs⌠and uses a screensaver executable for initial infectionâ).
- [T1574.002] DLL Side-Loading â The trojan attempts DLL sideloading by loading various DLLs and a malicious DLL alongside signed binaries (âsideloads a malicious DLL (KeyScramblerIE.dll) using a signed binaryâ).
- [T1003] OS Credential Dumping â The sample queries system identifiers like the UUID via WMIC to extract system-related credentials/information (âSELECT UUID FROM Win32_ComputerSystemProductâ).
- [T1016] System Network Configuration Discovery â Queries registry keys for Windows version and hostname to discover system/network configuration (âHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionâ and TCP/IP parameters registry queries).
- [T1071] Application Layer Protocol â The malware communicates with C2 over HTTPS and uses a custom User-Agent for HTTP requests (âcommunicates with its C2 server over HTTPSâ and User-Agent âAGCYRNRWWWFZZSWWFWDYDCVDNâ).
- [T1102] Web Service â Uses a web domain as a C2 channel (âuses a domain (daily-mashriq[.]org) for C2 communicationâ).
- [T1041] Exfiltration Over C2 Channel â Encoded system information is POSTed to the C2 server for exfiltration (âencoded information sent to the C2â).
- [T1022] Data Encrypted â Data sent to the C2 is encrypted with chacha20 prior to transmission (âinformation encoded with chacha20 and sent using User-Agent âŚâ).
Indicators of Compromise
- [File Hash] Sample binary â 8f4cf379ee2bef6b60fec792d36895dce3929bf26d0533fbb1fdb41988df7301
- [Domain/URL] C2 endpoint â https://daily-mashriq.org/goyxdrkhjilchyigflztv
- [Web API] Geo/IP lookup â http://ip-api.com/json/ (used to retrieve external IP)
- [Registry Key] Certificate installation target â HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesROOTCertificates3F728A35DE52B2C8994A4FB101A03B95E87B06C8
- [Network Artifact] User-Agent used for C2 posts â âAGCYRNRWWWFZZSWWFWDYDCVDNâ
- [Ports] Listening port ranges observed â 49708-49711, 49720-49730, 49733-49750
The analyzed sample is a Go-compiled 64-bit Windows executable signed with a WinAuth certificate and a deliberately tampered timestamp. It contains an unexpected .symtab section typical of ELF files, requiring reconstruction of the gopcln table to recover function names and strings; recovered strings reveal a patterned payload that assembles system identifiers (UUID, username, hostname, Windows version, PID, process name, architecture) destined for exfiltration.
At runtime the trojan performs process injection (VirtualAlloc) and invokes WMIC (e.g., âSELECT UUID FROM Win32_ComputerSystemProductâ) to collect system data, searching common paths for WMIC and related binaries. It leverages public Go libraries (kbinani to capture screenshots and fogleman to save them) and registers hooks (SetWindowsHookExW, TrackMouseEvent) to monitor user input and trigger screenshot capture; the binary also probes and attempts to load many Windows DLLsâlikely for expanded post-compromise capabilities.
Network activity begins with a call to ip-api.com/json for IP discovery, followed by a ping/POST to the C2 at daily-mashriq[.]org/goyxdrkhjilchyigflztv. Initial POSTs send the patterned system data encrypted with chacha20 and use a distinctive User-Agent, then the implant sends only its UID every seven seconds. To evade TLS inspection, the malware overwrites a ROOT certificate entry in HKLM (via CertGetCertificateChain) to install a new root certificate, and it binds multiple local ports for listening to support additional communication or utilities.
Read more: https://blog.sonicwall.com/en-us/2024/03/new-golang-trojan-installs-certificate-for-comms-evasion/