Full Report
KEY TAKEAWAYS Go language (Golang) is increasing in popularity with developers of both legitimate and malicious tooling. Volexity frequently encounters malware samples written in Golang that apply obfuscators to hinder analysis. Obfuscated Golang malware samples are significantly harder to statically analyze for reverse engineers. Volexity has developed an open-source tool, GoResolver, to retrieve obfuscated functions names. GoResolver’s control-flow graph similarity techniques offer a significant advantage in recovering symbol information. In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool. The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. […] The post GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically appeared first on Volexity.
Analysis Summary
# Tool/Technique: GoResolver
## Overview
GoResolver is an open-source tool developed by Volexity designed to assist malware analysts in reverse-engineering binaries written in Go (Golang), particularly those that have been obfuscated using tools like Garble. It retrieves obfuscated function names by leveraging control-flow graph (CFG) similarity techniques in conjunction with symbol extraction.
## Technical Details
- Type: Tool (Symbol Recovery Framework)
- Platform: Go binaries (Target platforms implied: Windows, Linux, macOS based on typical Go binary deployment)
- Capabilities: Symbol name recovery for obfuscated Go binaries, CFG similarity computation, IDA Pro and Ghidra integration via plugins.
- First Seen: Information not explicitly provided, but the article detailing its release is dated April 1, 2025.
## MITRE ATT&CK Mapping
The development of this tool specifically addresses challenges encountered during the analysis phase of digital forensic investigations, mapping most closely to discovery within the analysis process:
- T8000 - Analysis
- T8001 - Analyze Capabilities of Malware
(Note: Since GoResolver is an analysis tool, its primary mapping relates to the analysis phase rather than offensive techniques, though the techniques it analyzes map across TTPs.)
## Functionality
### Core Capabilities
- **Symbol Extraction:** Extracts function names and type information from Go runtime structures (`ModuleData` and `PcLineTab`), similar to how the Golang runtime operates.
- **CFG Similarity:** Implements a technique to compute normalized similarity (0.0 to 1.0) between Control-Flow Graphs (CFGs) of functions in the obfuscated binary and clean templates.
- **Symbol Resolution:** Uses CFG similarity results to assert potential original algorithms and resolve randomized symbol names back to their original form.
### Advanced Features
- **Garble Deobfuscation Aid:** Specifically effective against binaries obfuscated with Garble, exploiting the property that randomized names must be consistent across functions within the same package (e.g., identifying `os/exec` package usage).
- **Toolchain Integration:** The GoResolver toolchain comprises four projects: `GoResolver` (main tool), `GoGrapher` (CFG similarity computation), and `GoStrap` (integration helpers).
- **IDE Plugins:** Provides plugins for analysis integration directly within IDA Pro and Ghidra ("Analyze the current file" or "Import a previous report" modes).
## Indicators of Compromise
Indicators are not provided as GoResolver is an analysis tool, but the context mentions:
- **Obfuscation Tool:** Garble.
- **Behavioral Indicators:** Difficulty in static analysis due to Golang binary size, embedded libraries, and obfuscation hindering symbol recovery.
## Associated Threat Actors
- Threat actors who use Golang for developing malware and employ obfuscators such as Garble to hinder reverse engineering efforts. Specific named groups are not associated with GoResolver itself but with the malware it analyzes.
## Detection Methods
Detection methods are not explicitly listed for GoResolver, as it is a defensive/analysis utility. Detection efforts should focus on signatures for the malware the tool is designed to analyze.
## Mitigation Strategies
Mitigation involves improving the robustness of Go malware analysis environments:
- **Adoption of Advanced Analysis Tools:** Utilizing tools like GoResolver to overcome obfuscation and dependency challenges inherent in Golang malware.
- **Focus on Behavioral Analysis:** If static analysis fails due to obfuscation, prioritize dynamic analysis and behavior monitoring.
- **Monitoring for Obfuscator Artifacts:** Developing heuristics to detect artifacts left by known Go obfuscators like Garble, such as highly reused but randomized package name strings.
## Related Tools/Techniques
- **GoReSym (Mandiant):** A related tool that extracts symbol information by bypassing the symbol table and accessing Go's internal runtime structures. GoResolver builds upon knowledge demonstrated by tools like this.
- **Garble:** The open-source Go obfuscation tool whose output facilitates motivation and testing for GoResolver.
- **Control-Flow Graph Similarity:** The core analytical technique underpinning GoResolver's advanced symbol recovery capability.