Connect with us

Hi, what are you looking for?


TellYouThePass ransomware returns as a cross-platform Golang threat


codingTellYouThePass ransomware returns in Golang form

TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target more operating systems, macOS and Linux, in particular.

The return of this malware strain was noticed last month, when threat actors used it in conjunction with the Log4Shell exploit to target vulnerable machines.

Now, a report from Crowdstrike sheds more light on this return, focusing on code-level changes that make it easier to compile for other platforms than Windows.

Why Golang?

Golang is a programming language first adopted by malware authors in 2019 due to its cross-platform versatility.

Furthermore, Golang allows lining dependency libraries into a single binary file, which leads to a smaller footprint of command and control (C2) server communications, thus reducing detection rates.

It is also easier to learn than other programming languages, e.g. Python, and features modern debugging and plugin tools that simplify the programming process.

A notable example of a successful malware written in Golang is the Glupteba botnet, which was disrupted last month by Google’s security specialists.

Advertisement. Scroll to continue reading.

New TellYouThePass samples

Crowdstrike analysts report a code similarity of 85% between the Linux and Windows samples of TellYouThePass, showcasing the minimal adjustments needed to make the ransomware run on different operating systems.

Functions on the Windows and Linux samples
Functions on the Windows and Linux samples
Source: Crowdstrike

One noteworthy change in the latest samples of the ransomware is the randomization of the names of all functions apart from the ‘main’ one, which attempts to thwart analysis.

Prior to initiating the encryption routine, TellYouThePass kills tasks and services that could risk the process or result in incomplete encryption, like email clients, database apps, web servers, and document editors.

Moreover, some directories are excluded from encryption to prevent rendering the system non-bootable and thus waste any chance to get paid.

List of directories excluded from encryption
Directories excluded from encryption
Source: Crowdstrike

The ransom note dropped in the recent TellYouThePass infections asks for 0.05 Bitcoin, currently converting to about $2,150, in exchange for the decryption tool.

Ransom note dropped in recent attacks
Ransom note dropped in recent attacks
Source: Crowdstrike

The encryption scheme uses the RSA-2014 and AES-256 algorithms, and there is no free decryptor available.

For the time being, macOS samples have not been spotted.

Source link

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...