Skip to content

WesEfird/GoLancer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
cryptutil
cryptutil
 
 
sysinfo
sysinfo
 
 
webhelper
webhelper
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 

Repository files navigation

GoLancer

Ransomware PoC implementation built in Golang.

  • Encrypts files using 256-bit AES-CTR with random initialization vectors per file.
  • Encryption (and decryption) runs in parallel if enough logical cores are availible. List of files are split into chunks and each chunk is encrypted (or decrypted) in it's own goRoutine.
  • AES key is encrypted with 2048 OAEP RSA public key and sent to a webserver via form POST request, or stored on the 'target' machine if the connection fails or no webserver is defined.

Usage

Flags

-g : Generates RSA keypair and saves them to the disk.

-kill : Starts the encryption process, crawls user directories and encrypts (and deletes) all files

-d : Starts the decryption process. The decrypted AES key must be in the same directory as the GoLancer binary. Will decrypt files, then remove the encrypted files.

-a : Decrypts AES key using RSA private key.

Operation

If the 'attacker' has a web-server setup that accepts form posts requests GoLancer will send out a form POST request (application/x-www-form-urlencoded) to a defined web-address that contains the fields hostname and key . Any test web-server will work, you could even use netcat (nc -lvnp 80) . The 'attacker' can also use something like webhook.site to accept these requests. (Although security controls may block this site) Otherwise, the encrypted AES key will be stored on the target machine.

On the 'attacker' machine:

  1. Build binary for attacker's OS and arch
    1. go build github.com/WesEfird/GoLancer
  2. Generate RSA key-pair (This will create files private.pem and public.pem)
    1. ./GoLancer -g
  3. Save the private key somewhere safe
  4. Edit addr var in main.go to the domain or IP address of your webserver. (Or use something like webhook.site to accept POST requests)
  5. Build binary for target's OS and arch
    1. env GOOS=target-OS GOARCH=target-architecture go build github.com/WesEfird/GoLancer
    2. https://www.digitalocean.com/community/tutorials/how-to-build-go-executables-for-multiple-platforms-on-ubuntu-16-04
  6. Deliver binary and public.pem to target machine
  7. Wait for binary to be executed on target machine (see below)
    1. Once the encryption has completed, a POST request will be made to the web-address defined in step 4
    2. If the connection fails or no web-server is defined, then the key will be stored on the target machine as golancer-e.key
  8. Grab AES key from POST request made to your web-server, or from the target machine if no webserver was defined (or connection failed)
    1. Copy key to file named golancer-e.key (Make sure file is written with ANSI encoding)
  9. Decrypt AES key
    1. ./GoLancer -a (Make sure the file is in the same directory as GoLancer binary)
    2. This will create the file golancer.key which will contain the decrypted AES key
  10. Now the 'attacker' has the key that will allow the 'target' to decrypt their file system
    1. Deliver decrypted AES key to the 'target'

On the 'target' machine:

  1. Once the GoLancer binary and generated RSA public key has been delivered to the 'target', start the encryption process.
    1. ./GoLancer -kill
    2. This will generate a list of all files in the 'target' machine's home directories.
    3. The AES key will be encrypted using the RSA public key, and will be sent to the defined web-server via POST request.
  2. The encryption process will start, and all files (except for GoLancer files) in the 'target' machine's home directories will be encrypted using 256-bit AES-CTR
  3. Have the decrypted AES key delivered to the 'target' machine
    1. Move the AES key file golancer.key to the directory where the GoLancer binary is located
  4. Decrypt the file system
    1. ./GoLancer -d
    2. The filesystem will be decrypted, and all encrypted artifacts will be removed

Build

  1. git clone https://github.com/WesEfird/GoLancer.git
  2. cd GoLancer
  3. go build github.com/WesEfird/GoLancer

TODO

  • Clean AES key from memory after encryption has completed
  • Stop being lazy about error handling
  • Generate ransom note (Or even a cool webpage??)
  • Remove all traces of GoLancer once decryption has taken place
  • Implement data exfiltration

Disclaimer

The purpose of GoLancer is to allow the study of malware and enable security researchers to have access to a live malware implementation; this implementation is to be used as a tool for educational purposes, and for the development of defensive rules, tactics, and techniques. This program is intended to only be used in environments that the user owns and controls, or in environments where the user has explicit permission to run offensive security tools. The user must adhere to all laws in their jurisdiction and must conduct themselves ethically when using this tool.

This tool may cause irreversible changes to your system(s), be extremely careful when running this tool.

About

Ransomware built in Golang

Topics

go malware ransomware encryption-decryption

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages