Threat Advisory

Golang Loader Appends Massive PE Overlay to Evade Detection

Threat: Malware
Targeted Region: Brazil, India, Argentina, Mexico, Turkey, and Spain
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Not every threat that matters is technically, and that is also the case with GoFlateLoader, a rather simple loader written in Go, whose sole purpose is to decode and execute the payload in memory. It comes without anti-debugging, anti-VM, or sandbox-evasion checks, and lacks API hashing or CFG obfuscation. Instead, GoFlateLoader relies on one of the simplest yet still effective tricks to stay under the radar – it appends a massive PE overlay at the end of the file, deliberately inflating the binary's size.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Not every threat that matters is technically, and that is also the case with GoFlateLoader, a rather simple loader written in Go, whose sole purpose is to decode and execute the payload in memory. It comes without anti-debugging, anti-VM, or sandbox-evasion checks, and lacks API hashing or CFG obfuscation. Instead, GoFlateLoader relies on one of the simplest yet still effective tricks to stay under the radar – it appends a massive PE overlay at the end of the file, deliberately inflating the binary's size.[emaillocker id="1283"]

The loader's execution flow is short and linear: copy the encoded payload blob from the.rdata section onto the stack, decode the payload using a small, multi-stage, custom byte-level transformation into a valid PE, parse the PE headers of the decoded payload, allocate an RWX memory region using VirtualAlloc with MEM_COMMIT | MEM_RESERVE and PAGE_EXECUTE_READWRITE flags, map the decoded payload into the allocated memory region by copying the PE headers first, then walking the section table and writing each section to its target virtual address.

It applies relocations only if preferred base mapping fails, resolves imports by walking the standard IMAGE_IMPORT_DESCRIPTOR table and rebuilds the IAT in place via LoadLibrary and GetProcAddress, and transfers execution to the final payload using Go's syscall.Syscall. GoFlateLoader remains an active and relevant threat, used to deliver a wide range of prevalent information stealers.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1195.002 Supply Chain Compromise Compromise Software Supply Chain
Initial access T1566.002 Phishing Spearphishing Link
Execution T1059.001 Command and Scripting Interpreter PowerShell
Execution T1059.006 Command and Scripting Interpreter Python
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defence Evasion T1027.002 Obfuscated Files or Information Software Packing
Credential access T1555.003 Credentials from Password Stores Credentials from Web Browsers
Collection T1005 Data from Local System -
Exfiltration T1041 Exfiltration Over C2 Channel -

MBC MAPPING:

Objective Behavior ID Behavior
Defense Evasion B0029 Polymorphic Code
Anti-Static Analysis E1027 Obfuscated Files or Information
Command & Control B0030 C2 Communication
Execution E1204 User Execution
Command & Control E1105 Ingress Tool Transfer
Discovery E1083 File and Directory Discovery

REFERENCES:

The following reports contain further technical details:
https://www.gendigital.com/blog/insights/research/goflateloader-delivers-multiple-infostealers

[/emaillocker]
crossmenu