Wednesday, June 19, 2024

TellYouThePass ransomware returns as a cross-platform Golang threat

TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target more operating systems, macOS and Linux, in particular.

The return of this malware strain was noticed last month when threat actors used it in conjunction with the Log4Shell exploit to target vulnerable machines.

Now, a report from Crowdstrike sheds more light on this return, focusing on code-level changes that make it easier to compile for other platforms than Windows.

Why Golang?

Golang is a programming language first adopted by malware authors in 2019 due to its cross-platform versatility. 

Furthermore, Golang allows lining dependency libraries into a single binary file, which leads to a smaller footprint of command and control (C2) server communications, thus reducing detection rates.

It is also easier to learn than other programming languages, e.g. Python, and features modern debugging and plugin tools that simplify the programming process.

A notable example of a successful malware written in Golang is the Glupteba botnet, which was disrupted last month by Google’s security specialists.

New TellYouThePass samples

Crowdstrike analysts report a code similarity of 85% between the Linux and Windows samples of TellYouThePass, showcasing the minimal adjustments needed to make the ransomware run on different operating systems.

Functions on the Windows and Linux samples
Source: Crowdstrike

One noteworthy change in the latest samples of the ransomware is the randomization of the names of all functions apart from the ‘main’ one, which attempts to thwart analysis.

Prior to initiating the encryption routine, TellYouThePass kills tasks and services that could risk the process or result in incomplete encryption, like email clients, database apps, web servers, and document editors.

Moreover, some directories are excluded from encryption to prevent rendering the system non-bootable and thus waste any chance to get paid.

Recommended:  UK bans Chinese CCTV cameras at 'sensitive' government locations

The ransom note dropped in the recent TellYouThePass infections asks for 0.05 Bitcoin, currently converting to about $2,150, in exchange for the decryption tool.

TellYouThePass ransom note
Ransom note dropped in recent attacks
Source: Crowdstrike

The encryption scheme uses the RSA-2014 and AES-256 algorithms, and there is no free decryptor available.

For the time being, macOS samples have not been spotted.

Return to Cybersecurity News

Return to home page

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates