TellYouThePass ransomware returns as Golang’s multiplatform threat

codingTellYouThePass ransomware returns as Golang

TellYouThePass ransomware has reappeared as malware compiled by Golang, making it easier to target more operating systems, macOS and Linux in particular.

The return of this malware strain was noticed last month, when threat actors used it in conjunction with the Log4Shell exploit to target vulnerable machines.

Now, a report from Crowdstrike sheds more light on this return, focusing on code-level changes that make it easier to build for platforms other than Windows.

Why Golang?

Golang is a programming language first adopted by malware authors in 2019 due to its cross-platform versatility.

In addition, Golang allows the consolidation of dependency libraries into a single binary file, reducing the communications clutter of the Command and Control (C2) server, thereby reducing detection rates.

It’s also easier to learn than other programming languages, for example Python, and features modern debugging and plug-in tools that simplify the programming process.

The Glupteba botnet, which was halted last month by security specialists at Google, is a notable example of successful malware written in Golang.

New TellYouThePass samples

Crowdstrike Analyst Report 85% code similarity between the Linux and Windows samples from TellYouThePass, showing the minimum adjustments needed for the ransomware to run on different operating systems.

Functions on the Windows and Linux examples
Functions on the Windows and Linux examples
Source: Crowd

One notable change in the latest ransomware samples is the randomization of the names of all functions except the “main one”, which attempts to thwart the scan.

Before starting the encryption routine, TellYouThePass kills tasks and services that could compromise the process or result in incomplete encryption, such as email clients, database applications, web servers, and document editors.

In addition, some directories are excluded from encryption to avoid making the system unbootable and thus losing any chance of getting paid.

List of directories excluded from encryption
Directories excluded from encryption
Source: Crowd

Ransom note dropped during recent TellYouThePass infections demands 0.05 Bitcoin, currently converted to around $ 2,150, in exchange for the decryption tool.

Ransom note dropped in recent attacks
Ransom note dropped in recent attacks
Source: Crowd

The encryption scheme uses the RSA-2014 and AES-256 algorithms, and there is no free decryptor available.

At this time, the macOS samples have not been spotted.


Please enter your comment!
Please enter your name here

Trending this Week