Google Announces GoStringUngarbler Tool to Decrypt Go Based Malware

This innovation specifically targets binaries obfuscated using garble, an increasingly prevalent obfuscation compiler that has complicated malware analysis through sophisticated literal transformations and control flow manipulation. The garble compiler implements Abstract Syntax Tree (AST) manipulation through Go’s go/ast library to transform source code during compilation while preserving program semantics. Simple transformation: Using a randomly produced mathematical operator and a randomly generated key of identical length to the input string, this transformation applies byte-by-byte encoding. Swap transformation: Byte-pair swapping and position-dependent encoding are combined in this transformation, which shuffles and encrypts byte pairs using locally generated keys. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Decrypted strings are reinjected into the binary using optimized assembly stubs that replace the original decryption logic. The framework handles garble’s stack manipulation and control flow redirections by emulating from subroutine prologues to runtime_slicebytetostring calls. This in-place patching strategy leverages garble’s stack allocations to store plaintext strings without section modifications. Implements chained encryption where each byte’s decryption depends on previous operations through a continuously modified seed value. Decryption involves reassembling chunks while applying position-dependent XOR keys derived from global encryption parameters. The tool leverages instruction patterns around Go’s runtime_slicebytetostring function to detect decryption routines. Security teams can deploy GoStringUngarbler alongside existing EDR solutions to improve detection rates for garble-obfuscated malware. The tool’s release marks a critical advancement in countering the growing abuse of Go’s compilation ecosystem for offensive operations. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Fragments strings into randomly sized chunks processed through a state machine built from switch statements.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 07:10:13 +0000