Here is the bad news:

  • The use of Google’s Golang (also called Go) programming language allows attackers to cross-compile malware for use on multiple platforms, making potential attacks on Linux more trivial to engineer.
  • The new WellMess malware strain is able to operate on both Windows and on Linux, giving a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks.

Google’s Golang—which supports cross compiling to run on multiple operating systems—is now being utilized by attackers to target Windows and Linux workstations.

According a report by JPCERT, the WellMess malware can operate on WinPE (Windows Preinstallation Environment) and on Linux via ELF (Executable and Linkable Format). The malware gives a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks. The commands are transferred to the infected device via RC6 encrypted HTTP POST requests, with the results of executed commands transmitted to the C&C server via cookies.

While WellMess is far from the first malware to run on Linux systems, the perceived security of Linux distributions as not being a significant enough target for malware developers should no longer be considered the prevailing wisdom, as cross-compilation on Golang will ease malware development to an extent for attackers looking to target Linux desktop users. As with Windows and macOS, users of Linux on the desktop should install some type of antivirus software in order to protect against malware such as WellMess.

Behaviour of WellMess

Generally, Golang executable files include many required libraries in itself. This usually increases the file size, making WellMess larger than 3 MB. Another feature is that function names for the executable files can be found in the file itself. (Even for stripped files, function names can be retrieved by using tools such as GoUtils2.0 [2].) Below are the function names used in WellMess:


As mentioned earlier, WellMess has a version that runs on Windows (PE) and another on Linux (ELF). Although there are some minor differences, they both have the same functionality.

The malware communicates with a C&C server using HTTP requests and performs functions based on the received commands. Below is an example of the communication: (User-Agent value varies per sample.)

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html, */*
Accept-Language: en-US,en;q=0.8
Cookie: c22UekXD=J41lrM+S01+KX29R+As21Sur+%3asRnW+3Eo+nIHjv+o6A7qGw+XQr%3aq+PJ9jaI+KQ7G.+FT2wr+wzQ3vd+3IJXC+lays+k27xd.+di%3abd+mHMAi+mYNZv+Mrp+S%2cV21.+ESollsY+6suRD+%2cx8O1m+%3azc+GYdrw.+FbWQWr+5pO8;1rf4EnE9=+WMyn8+8ogDA+WxR5R.+sFMwDnV+DFninOi+XaP+p4iY+82U.+hZb+QB6+kMBvT9R
Content-Length: 426
Expect: 100-continue
Accept-Encoding: deflate
Connection: Keep-Alive

pgY4C8 8JHqk RjrCa R9MS 3vc4Uk KKaRxH R8vg Tfj B3P,C 0RG9lFw DqF405. i3RU1 0lW 2BqdSn K3L Y7hEc. tzto yKU8 p1,E L2kKg pQcE1. b8V6S0Y 6akx, ggMcrXk 0csao Uwxn. fYVtWD rwt:BJ 5IBn rCMxZoo OsC. :ZXg pKT Re0 cJST1 L0GsC. 9dJZON9 qs29pPB pCTR:8 0hO0FK sK13UUw. jMA hDICL hGK1 qjRj1AY YMjAIeI. g7GEZPh gW:C eNX6 ptq kevfIyP. u,96r7c D:6ZiR fCC IIi cBvq,p. Vt96aEu JFLeu 0XtFJm ee4S 7M2. Uc68sF MArC5v 96ngG 9UvQGt 5:ut. qiE0xQ

Results of command execution are send in HTTP POST request data, which is RSA-encrypted. The data in Cookie header is RC6-encrypted. Below is an example of decrypted data. It contains an identifier for infected hosts (the value in between <;head;> tags).


Below is a part of code that decodes data in the Cookie header. (The script is available on Github.)

def decode(data, key):
    sep = ';'

    field = data.split(sep)

    i = 1
    encdata = ""
    while i < len(field):
        value = field[i].split("=")
        encdata += value[1]
        I += 1

    encdata = urllib.unquote(encdata)
    encdata = encdata.replace("+", " ").replace("   ", "=").replace(". ", "").replace(" ", "").replace(",", "+").replace(":", "/")

    maindata = base64.b64decode(encdata)
    s = generateKey(base64.b64decode(key))

    i = 0
    decode = ""
    while i < len(maindata):
        orgi = rc6(maindata[i:i + 16], s)
        decode += orgi
        i += 16

    print("Decrypted String: %s" % decode)

The malware may perform the following functions when receiving commands from a C&C server.

  • Execute arbitrary shell command
  • Upload/Download files

In addition, PE file malware executes PowerShell scripts.

Wellmess Developed in .Net Framework

There is also a version that was developed in .Net Framework. Figure 1 shows the code that generates data contained in the Cookie header upon communicating with a C&C server. It contains the same string as in the Cookie data in the Golang version.

Figure 1: Code to generate data contained in the Cookie
fig1 Bad guys use Google's Golang to cross-compile multi-platform malware "WellMess"

We have no clue about why the actors have prepared two different versions, however, it seems that they choose a sample depending on the attack target.

In closing

We have confirmed some cases where WellMess infection was found in Japanese organisations. Attacks using the malware may continue.

We have listed some hash values of the samples in Appendix A. Some of the C&C servers that we have confirmed are also listed in Appendix B. Please make sure that none of your device is accessing such hosts.

JPCERT has created a tool (available here) to decrypt the content of those cookies, to identify what is being transmitted to the C&C server.

Appendix A: SHA-256 Hash value
  • 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193 (Golang&ELF)
  • bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d (Golang&PE)
  • 2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41 (.Net&PE)
Appendix B: C&C server



via Bad guys use Google’s Golang to cross-compile multi-platform malware

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This