This week, the Sonicwall Capture Labs threat research team analyzed a new Golang malware sample.
It uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the C2. There is currently no malware family affiliated, but the IP and URL addresses have been used by AgentTesla, GuLoader, PureLog Stealer and others. Technical Analysis The sample is detected as a Golang 64-bit executable with a WinAuth certificate. The timestamp has been tampered with, as it shows a creation date of December 31, 1969.
Read more…
Source: Sonicwall