Demystify golang malware – how to recognize Bishop Fox’s Sliver

In this blog post we’ll look into how we can do a quick analysis of a golang binary. You can download the sample from here (thanks to Any.Run). I’ll only use two tools today (Far Manager and Hiew), but you can use any file viewer/editor you want (Notepad works too).

First, let’s have a look at the PE header of a golang windows executable. From the start we can tell it’s a golang binary. The “Go build ID” (embedded into the compiled binary by the go build tool) is pretty obvious.

Let’s look now at the PE sections.

An interesting one is the .data section. Here I’ve used Hiew to locate the start offset and view the content.

This section is interesting because it contains build information, which sometimes can give us a hint of what we’re dealing with.

The highlighted part tells us that we’re dealing with sliver.

For a definitive answer, let’s see if we can analyze the other sections. The only problem is that they look something like this:

The first hint is the ZLIB string at the beginning of the section. If we look at the following bytes, we’ll stumble upon the 78 01 value (in other files this may be different). A zlib stream starting with 78 01 indicates that the data is compressed using the deflate method with a 32K window size and the fastest compression level. If you want to know more about ZLIB, here is the RFC.

What we need to do now is to remove everything from the beginning of the file until 78 01. Once we have that, we just need to run this python script to extract the compressed data. If you want to inspect all the compressed sections, you need to follow the steps outlined above for every compressed stream.

Once we’re able to inspect the “real” data, we can say for sure that we’re dealing with Sliver.