Designed in 2007 and introduced in late 2009, the Go programming language developed by Google has been gaining momentum the past three years. It is now being used to develop malware. Recently seen in the wild, Trojan.Encriyoko is a new threat associated with components which are written in Go. The Trojan attempts to encrypt various file formats on compromised computers, rendering the encrypted files unusable.

The original sample we acquired, a file named GalaxyNxRoot.exe, is actually a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it.



Figure 1. GalaxyNxRoot.exe properties



Once executed, the GalaxyNxRoot.exe file drops and launches two executable files, both written in Go:

%Temp%PPSAP.exe

%Temp%adbtool.exe

The dropped PPSAP.exe file is an information-stealing Trojan. It collects system information such as current running processes, user name, MAC address, etc., and posts it to the following remote location:

[http://]golang.iwebs.ws/about/step1.php

The dropped adbtool.exe file downloads an encrypted file from the following remote location:

[http://]sourceslang.iwebs.ws/downs/zdx.tgz

This file is decrypted as a Dynamic-link library (DLL) file and then loaded. It attempts to encrypt various file formats on the compromised computer. The targeted file formats include:

Source code files (.c, .cpp, .cs, .php, .java, .pas, .vb, .frm, .bas, .go, .asp, .aspx, .jsp, .pl, .py, .rb)

Image files (.jpg, .png, .psd)

Audio files (.wav, .wma, .amr, .awb)

Archive files (.rar, .zip, .iso, .gz, .7z)

Document files (file extensions containing the following strings: doc, xls, ppt, mdb, pdf)

Other types of files (file extensions containing the following strings: dw, dx, sh, pic, 111, win, wvw, drw, grp, rpl, mce, mcg, pag)



Figure 2. Targeted file formats



The file paths are confirmed by the Trojan in order to avoid encrypting files under certain paths, such as %Windir%, %ProgramFiles%, %UserProfile%\Local Settings, and others.

The encryption uses the Blowfish algorithm. It either reads the encryption key from D:

epia.dud or randomly generates one. The names of all of the encrypted files are then saved to the following location:

%Temp%\vxsur.bin

Restoration of the encrypted files will be difficult, if not impossible.

Symantec detects all these files: GalaxyNxRoot.exe as Trojan.Dropper, PPSAP.exe as Infostealer, adbtool.exe as Downloader, and zdx.dll as Trojan.Encriyoko.