Recon 2022

Beyond AlphaGolang: Automated hunting based on reversing Go binaries
06-04, 11:30–12:00 (US/Eastern), Grand Salon

Reverse engineering Golang was considered a nightmare. Over time, our understanding of Go has evolved and it turns out that with the right tooling, Go may be one of the easiest languages to reverse engineer. We released AlphaGolang as a way to tackle reversing Go binaries, recovering as much information as possible and surfacing user generated code. Where do we go from here? How about using the understanding we can glean from Go malware to automate hunting and clustering?


We released a project called AlphaGolang – a series of IDAPython scripts to automatically reconstruct IDBs and recover as much information as possible from Go malware. This talk will first showcase was AlphaGolang can do for reverse engineers, then we'll take it a step further by introducing new forms of hunting based on the information that AlphaGolang programmatically derives. That includes automated generation of code similarity rules that avoid Go's abundance of boilerplate code, auto-generating YARA rules with no false-positives (based on relinking of strings to user-generated functions), and profiling for development environments to find malware created by the same developer (with their chosen development environment).

While people may think that reversing Go sucks, in reality it may be one of the most rewarding languages to reverse engineer and we are going to showcase its unique advantages.

See also: Video (743.3 MB)

Juan Andrés is a Principal Threat Researcher at SentinelOne and an Adjunct Professor of Strategic Studies at Johns Hopkins School of Advanced International Studies (SAIS). Juan Andrés was Chronicle Security’s Research Tsar, founding researcher of the Uppercase team. Prior to joining Chronicle, he was Principal Security Researcher at Kaspersky’s GReAT team focusing on targeted attacks and worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. His joint work on Moonlight Maze is now featured in the International Spy Museum’s permanent exhibit in Washington, DC.