Symantec最近回報了一些由Go撰寫的惡意程式(Malware),這個惡意程式在一個名為GalaxyNxRoot.exe 的 android rooting tool上被發現。在這個tool 中分別有兩個檔案由Go所撰寫 PPSAP.exe adbtool.exe。

GalaxyNxRoot.exe properties

Once executed, the GalaxyNxRoot.exe file drops and launches two executable files, both written in Go:

The dropped PPSAP.exe file is an information-stealing Trojan. It collects system information such as current running processes, user name, MAC address, etc., and posts it to the following remote location:

The dropped adbtool.exe file downloads an encrypted file from the following remote location:

This file is decrypted as a Dynamic-link library (DLL) file and then loaded. It attempts to encrypt various file formats on the compromised computer. The targeted file formats include:

Source code files (.c, .cpp, .cs, .php, .java, .pas, .vb, .frm, .bas, .go, .asp, .aspx, .jsp, .pl, .py, .rb)
Image files (.jpg, .png, .psd)
Audio files (.wav, .wma, .amr, .awb)
Archive files (.rar, .zip, .iso, .gz, .7z)
Document files (file extensions containing the following strings: doc, xls, ppt, mdb, pdf)
Other types of files (file extensions containing the following strings: dw, dx, sh, pic, 111, win, wvw, drw, grp, rpl, mce, mcg, pag)