From time to time, new tools emerge that make it significantly easier to examine older malware. In 2017, Symantec’s threat intelligence team published research regarding the Dragonfly group, an adversary with an apparent interest in performing reconnaissance against energy sector companies. One of the reported malware families, “Backdoor.Goodor,” is written in Golang and the blog post states that it “provides the attackers with remote access to the victim’s machine.”
In recent years, several free options have become available to help reverse engineer these types of Golang binaries, replacing premium (but extremely well documented) methods and making this type of analysis particularly more accessible.
This post walks through the reverse engineering of a Goodor file, examining its capabilities and discussing key principles of these types of files.